-1. Under **Policies**, select **User flows (policies)**.

-## December 2021

-### New articles

-### Updated articles

-| Windows Hello for Business | Yes | MFA |

-* Push notifications that use the Microsoft Authenticator app are currently processed in regional datacenters based on the user's location. Vendor-specific device services, such as Apple Push Notification Service, might be outside the user's location.

-description: Learn how to configure an application's publisher domain to let users know where their information is being sent.

-# Configure an application's publisher domain

-An applicationΓÇÖs publisher domain informs the users where their information is being sent and acts as an input/prerequisite for [publisher verification](publisher-verification-overview.md). Depending on whether an app is a [multi-tenant app](/azure/architecture/guide/multitenant/overview), when it was registered and it's verified publisher status, either the publisher domain or the verified publisher status will be displayed to the user on the [application's consent prompt](application-consent-experience.md). Multi-tenant applications are applications that support accounts outside of a single organizational directory; for example, support all Azure AD accounts, or support all Azure AD accounts and personal Microsoft accounts.

-## New applications

-When you register a new app, the publisher domain of your app may be set to a default value. The value depends on where the app is registered, particularly whether the app is registered in a tenant and whether the tenant has tenant verified domains.

-If there are tenant-verified domains, the appΓÇÖs publisher domain will default to the primary verified domain of the tenant. If there are no tenant verified domains (which is the case when the application is not registered in a tenant), the appΓÇÖs publisher domain will be set to null.

-The following table summarizes the default behavior of the publisher domain value.

-| Tenant-verified domains | Default value of publisher domain |

-| *.onmicrosoft.com | *.onmicrosoft.com |

-| - *.onmicrosoft.com<br/>- domain1.com<br/>- domain2.com (primary) | domain2.com |

-1. If your multi-tenant was registered between **May 21, 2019 and November 30, 2020**:

- - If the application's publisher domain isn't set, or if it's set to a domain that ends in .onmicrosoft.com, the app's consent prompt will show **unverified** in place of the publisher domain.

- - If the application has a verified app domain, the consent prompt will show the verified domain.

- - If the application is publisher verified, it will show a [blue "verified" badge](publisher-verification-overview.md) indicating the same

-2. If your multi-tenant was registered after **November 30, 2020**:

- - If the application is not publisher verified, the app will show as "**unverified**" in the consent prompt (i.e, no publisher domain related info is shown)

- - If the application is publisher verified, it will show a [blue "verified" badge](publisher-verification-overview.md) indicating the same

-## Grandfathered applications

-If your app was registered **before May 21, 2019**, your application's consent prompt will not show **unverified** even if you have not set a publisher domain. We recommend that you set the publisher domain value so that users can see this information on your app's consent prompt.

-## Configure publisher domain using the Azure portal

-To set your app's publisher domain, follow these steps.

-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which the app is registered.

-1. Navigate to [Azure Active Directory > App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) to find and select the app that you want to configure.

- Once you've selected the app, you'll see the app's **Overview** page.

-1. Under **Manage**, select the **Branding**.

-1. Find the **Publisher domain** field and select one of the following options:

- - Select **Configure a domain** if you haven't configured a domain already.

- - Select **Update domain** if a domain has already been configured.

-If your app is registered in a tenant, you'll see two tabs to select from: **Select a verified domain** and **Verify a new domain**.

-If your domain isn't registered in the tenant, you'll only see the option to verify a new domain for your application.

-### To verify a new domain for your app

-1. Create a file named `microsoft-identity-association.json` and paste the following JSON code snippet.

- "applicationId": "{YOUR-APP-ID-HERE}"

- "applicationId": "{YOUR-OTHER-APP-ID-HERE}"

-1. Replace the placeholder *{YOUR-APP-ID-HERE}* with the application (client) ID that corresponds to your app.

-1. Host the file at: `https://{YOUR-DOMAIN-HERE}.com/.well-known/microsoft-identity-association.json`. Replace the placeholder *{YOUR-DOMAIN-HERE}* to match the verified domain.

-1. Click the **Verify and save domain** button.

-You're not required to maintain the resources that are used for verification after a domain has been verified. When the verification is finished, you can remove the hosted file.

-### To select a verified domain

-If your tenant has verified domains, select one of the domains from the **Select a verified domain** dropdown.

-> The expected `Content-Type` header that should be returned is `application/json`. You may get an error if you use anything else, like `application/json; charset=utf-8`:

-## Implications on the app consent prompt

-Configuring the publisher domain has an impact on what users see on the app consent prompt. To fully understand the components of the consent prompt, see [Understanding the application consent experiences](application-consent-experience.md).

-The following table describes the behavior for applications created before May 21, 2019.

-

-The behavior for applications created between May 21, 2019 and November 30, 2020 will depend on the publisher domain and the type of application. The following table describes what is shown on the consent prompt with the different combinations of configurations.

-

-For multi-tenant applications created after November 30, 2020, only publisher verification status is surfaced in the consent prompt. The following table describes what is shown on the consent prompt depending on whether an app is verified or not. Consent prompt for single tenant applications will remain the same as above.

-

-## Implications on redirect URIs

-Applications that sign in users with any work or school account, or personal Microsoft accounts (multi-tenant) are subject to few restrictions when specifying redirect URIs.

-When the publisher domain value for multi-tenant apps is set to null, apps are restricted to share a single root domain for the redirect URIs. For example, the following combination of values isn't allowed because the root domain, contoso.com, doesn't match fabrikam.com.

-```

-"https://contoso.com",

-Subdomains are allowed, but you must explicitly register the root domain. For example, while the following URIs share a single root domain, the combination isn't allowed.

-```

-However, if the developer explicitly adds the root domain, the combination is allowed.

-```

-### Exceptions

-Currently, there is no REST API or PowerShell support to configure publisher domain programmatically.

-description: Provides an overview of the publisher verification program for the Microsoft identity platform. Lists the benefits, program requirements, and frequently asked questions. When an application is marked as publisher verified, it means that the publisher has verified their identity using a Microsoft Partner Network account that has completed the verification process and has associated this MPN account with their application registration.

-Publisher verification helps admins and end users understand the authenticity of application developers integrating with the Microsoft identity platform.

-> [!VIDEO https://www.youtube.com/embed/IYRN2jDl5dc]

-When an application is marked as publisher verified, it means that the publisher has verified their identity using a [Microsoft Partner Network](https://partner.microsoft.com/membership) account that has completed the [verification](/partner-center/verification-responses) process and has associated this MPN account with their application registration.

-A blue "verified" badge appears on the Azure AD consent prompt and other screens:

-

-This feature is primarily for developers building multi-tenant apps that leverage [OAuth 2.0 and OpenID Connect](active-directory-v2-protocols.md) with the [Microsoft identity platform](v2-overview.md). These apps can sign users in using OpenID Connect, or they may use OAuth 2.0 to request access to data using APIs like [Microsoft Graph](https://developer.microsoft.com/graph/).

-Publisher verification provides the following benefits:

-> - Starting in November 2020, end users will no longer be able to grant consent to most newly registered multi-tenant apps without verified publishers if [risk-based step-up consent](../manage-apps/configure-risk-based-step-up-consent.md) is enabled. This will apply to apps that are registered after November 8, 2020, use OAuth2.0 to request permissions beyond basic sign-in and read user profile, and request consent from users in different tenants than the one the app is registered in. A warning will be displayed on the consent screen informing users that these apps are risky and are from unverified publishers.

-There are a few pre-requisites for publisher verification, some of which will have already been completed by many Microsoft partners. They are:

- - In Azure AD this user must be a member of one of the following [roles](../roles/permissions-reference.md): Application Admin, Cloud Application Admin, or Global Admin.

- - In Partner Center this user must have of the following [roles](/partner-center/permissions-overview): MPN Partner Admin, Account Admin, or a Global Admin (this is a shared role mastered in Azure AD).

-

-Developers who have already met these pre-requisites can get verified in a matter of minutes. If the requirements have not been met, getting set up is free.

-## National Clouds and Publisher Verification

-Publisher verification is currently not supported in national clouds. Applications registered in national cloud tenants can't be publisher-verified at this time.

-## Frequently asked questions

-Below are some frequently asked questions regarding the publisher verification program. For FAQs related to the requirements and the process, see [mark an app as publisher verified](mark-app-as-publisher-verified.md).

- Developers who are also integrating with Microsoft 365 can receive additional benefits from these programs. For more information, refer to [Microsoft 365 Publisher Attestation](/microsoft-365-app-certification/docs/attestation) and [Microsoft 365 App Certification](/microsoft-365-app-certification/docs/certification).

-* Learn how to [mark an app as publisher verified](mark-app-as-publisher-verified.md).

-* [Troubleshoot](troubleshoot-publisher-verification.md) publisher verification.

-## March 2022

-### New articles

-### Updated articles

-Verify that you've [configured Azure RBAC policies](../../virtual-machines/linux/login-using-aad.md) for the VM that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role.

-1. Sign in to the [Azure portal](https://portal.azure.com) or [Azure AD admin center](https://aad.portal.azure.com) with an account that's been assigned the Global Administrator or Privileged Role Administrator role for the directory.

-When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products) or the [Microsoft 365 admin center](https://admin.microsoft.com), you see product names that look something like *Office 365 E3*. When you use PowerShell v1.0 cmdlets, the same product is identified using a specific but less friendly name: *ENTERPRISEPACK*. When using PowerShell v2.0 cmdlets or [Microsoft Graph](/graph/api/resources/subscribedsku), the same product is identified using a GUID value: *6fd2c87f-b296-42f0-b197-1e91e994b900*. The following table lists the most commonly used Microsoft online service products and provides their various ID values. These tables are for reference purposes in Azure Active Directory (Azure AD), part of Microsoft Entra, and are accurate only as of the date when this article was last updated. Microsoft does not plan to update them for newly added services periodically.

- 

-1. If the resources aren't already in the catalog, and you're an administrator or a catalog owner, you can [add resources to a catalog](entitlement-management-catalog-create.md#add-resources-to-a-catalog).

-If you don't want users to receive all of the roles, then you'll need to create multiple access packages in the catalog, with separate access packages for each of the resource roles. You can also mark the access packages as [incompatible](entitlement-management-access-package-incompatible.md) with each other so users can't request access to access packages that would give them excessive access.

-To include resources in an access package, the resources must exist in a catalog. The types of resources you can add are groups, applications, and SharePoint Online sites. For example:

-* Groups can be cloud-created Microsoft 365 Groups or cloud-created Azure AD security groups. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either.

-* Applications can be Azure AD enterprise applications, which include both software as a service (SaaS) applications and your own applications integrated with Azure AD. For more information on how to select appropriate resources for applications with multiple roles, see [Add resource roles](entitlement-management-access-package-resources.md#add-resource-roles).

-"AccelerateToFederatedDomain": true

-"AccelerateToFederatedDomain": true

-"PreferredDomain": ["federated.example.edu"]

-"AllowCloudPasswordValidation": true

-1. Grant the Policy.ReadWrite.ApplicationConfiguration permission under the **Modify permissions** tab.

-1. POST the new policy to this URL, or PATCH to /policies/homerealmdiscoveryPolicies/{policyID} if overwriting an existing one.

- GET policies/homeRealmDiscoveryPolicies

- DELETE /policies/homeRealmDiscoveryPolicies/{policy objectID}

-[Prevent sign-in auto-acceleration](prevent-domain-hints-with-home-realm-discovery.md).

-## March 2022

-### New articles

-### Updated articles

-### Does managed identities for Azure resources work with Azure Cloud Services?

-No, there are no plans to support managed identities for Azure resources in Azure Cloud Services.

-description: Learn how to automatically provision and de-provision user accounts from Azure AD to AWS single sign-On.

-# Tutorial: Configure AWS single sign-On for automatic user provisioning

-This tutorial describes the steps you need to perform in both AWS single sign-On and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [AWS single sign-On](https://console.aws.amazon.com/singlesignon) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

-> * Create users in AWS single sign-On

-> * Remove users in AWS single sign-On when they no longer require access

-> * Keep user attributes synchronized between Azure AD and AWS single sign-On

-> * Provision groups and group memberships in AWS single sign-On

-> * [single sign-On](aws-single-sign-on-tutorial.md) to AWS single sign-On

-* A SAML connection from your Azure AD account to AWS single sign-On, as described in Tutorial

-3. Determine what data to [map between Azure AD and AWS single sign-On](../app-provisioning/customize-application-attributes.md).

-## Step 2. Configure AWS single sign-On to support provisioning with Azure AD

-1. Open the [AWS single sign-On](https://console.aws.amazon.com/singlesignon).

-4. In the Inbound automatic provisioning dialog box, copy and save the **SCIM endpoint** and **Access Token** (visible after clicking on Show Token). These values will be entered in the **Tenant URL** and **Secret Token** field in the Provisioning tab of your AWS single sign-On application in the Azure portal.

-## Step 3. Add AWS single sign-On from the Azure AD application gallery

-Add AWS single sign-On from the Azure AD application gallery to start managing provisioning to AWS single sign-On. If you have previously setup AWS single sign-On for SSO, you can use the same application. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

-## Step 5. Configure automatic user provisioning to AWS single sign-On

-### To configure automatic user provisioning for AWS single sign-On in Azure AD:

-2. In the applications list, select **AWS single sign-On**.

- 

-5. Under the **Admin Credentials** section, input your AWS single sign-On **Tenant URL** and **Secret Token** retrieved earlier in Step 2. Click **Test Connection** to ensure Azure AD can connect to AWS single sign-On.

-8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to AWS single sign-On**.

-9. Review the user attributes that are synchronized from Azure AD to AWS single sign-On in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in AWS single sign-On for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the AWS single sign-On API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

-10. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to AWS single sign-On**.

-11. Review the group attributes that are synchronized from Azure AD to AWS single sign-On in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in AWS single sign-On for update operations. Select the **Save** button to commit any changes.

-13. To enable the Azure AD provisioning service for AWS single sign-On, change the **Provisioning Status** to **On** in the **Settings** section.

-14. Define the users and/or groups that you would like to provision to AWS single sign-On by choosing the desired values in **Scope** in the **Settings** section.

-Currently AWS single sign-On is not allowing some other characters that Azure AD supports like tab (\t), new line (\n), return carriage (\r), and characters such as " <|>|;|:% ".

-You can also check the AWS single sign-On troubleshooting tips [here](https://docs.aws.amazon.com/singlesignon/latest/userguide/azure-ad-idp.html#azure-ad-troubleshooting) for more troubleshooting tips

-* [What is application access and single sign-On with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

-description: Learn how to configure single sign-on between Azure Active Directory and AWS Single Sign-On.

-# Tutorial: Azure AD SSO integration with AWS Single Sign-On

-In this tutorial, you'll learn how to integrate AWS Single Sign-On with Azure Active Directory (Azure AD). When you integrate AWS Single Sign-On with Azure AD, you can:

-* Control in Azure AD who has access to AWS Single Sign-On.

-* Enable your users to be automatically signed-in to AWS Single Sign-On with their Azure AD accounts.

-* AWS Single Sign-On enabled subscription.

-* AWS Single Sign-On supports **SP and IDP** initiated SSO.

-* AWS Single Sign-On supports [**Automated user provisioning**](./aws-single-sign-on-provisioning-tutorial.md).

-## Add AWS Single Sign-On from the gallery

-To configure the integration of AWS Single Sign-On into Azure AD, you need to add AWS Single Sign-On from the gallery to your list of managed SaaS apps.

-1. In the **Add from the gallery** section, type **AWS Single Sign-On** in the search box.

-1. Select **AWS Single Sign-On** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

-## Configure and test Azure AD SSO for AWS Single Sign-On

-Configure and test Azure AD SSO with AWS Single Sign-On using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AWS Single Sign-On.

-To configure and test Azure AD SSO with AWS Single Sign-On, perform the following steps:

-1. **[Configure AWS Single Sign-On SSO](#configure-aws-single-sign-on-sso)** - to configure the single sign-on settings on application side.

- 1. **[Create AWS Single Sign-On test user](#create-aws-single-sign-on-test-user)** - to have a counterpart of B.Simon in AWS Single Sign-On that is linked to the Azure AD representation of user.

-1. In the Azure portal, on the **AWS Single Sign-On** application integration page, find the **Manage** section and select **single sign-on**.

- b. Click on **folder logo** to select metadata file, which is explained to download in **[Configure AWS Single Sign-On SSO](#configure-aws-single-sign-on-sso)** section and click **Add**.

- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [AWS Single Sign-On Client support team](mailto:aws-sso-partners@amazon.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-1. AWS Single Sign-On application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

- > If ABAC is enabled in AWS Single Sign-On, the additional attributes may be passed as session tags directly into AWS accounts.

-1. On the **Set up AWS Single Sign-On** section, copy the appropriate URL(s) based on your requirement.

-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to AWS Single Sign-On.

-1. In the applications list, select **AWS Single Sign-On**.

-## Configure AWS Single Sign-On SSO

-1. To automate the configuration within AWS Single Sign-On, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.

-2. After adding extension to the browser, click on **Set up AWS Single Sign-On** will direct you to the AWS Single Sign-On application. From there, provide the admin credentials to sign into AWS Single Sign-On. The browser extension will automatically configure the application for you and automate steps 3-10.

-3. If you want to setup AWS Single Sign-On manually, in a different web browser window, sign in to your AWS Single Sign-On company site as an administrator.

-1. Go to the **Services -> Security, Identity, & Compliance -> AWS Single Sign-On**.

-3. On the **Settings** page, find **Identity source** and click on **Change**.

-4. On the Change identity source, choose **External identity provider**.

- a. In the **Service provider metadata** section, find **AWS SSO SAML metadata** and select **Download metadata file** to download the metadata file and save it on your computer and use this metadata file to upload on Azure portal.

- b. Copy **AWS SSO Sign-in URL** value, paste this value into the **Sign on URL** text box in the **Basic SAML Configuration section** in the Azure portal.

- c. In the **Identity provider metadata** section, choose **Browse** to upload the metadata file, which you have downloaded from the Azure portal.

-### Create AWS Single Sign-On test user

-1. Open the **AWS SSO console**.

- c. In the **Confirm email address** field, reenter the email address from the previous step.

- g. Choose **Next: Groups**.

- > Make sure the username entered in AWS SSO matches the userΓÇÖs Azure AD sign-in name. This will you help avoid any authentication problems.

-AWS SSO console, choose **AWS accounts**.

-about permission sets, see the AWS SSO **Permission Sets** page.

-> AWS Single Sign-On also supports automatic user provisioning, you can find more details [here](./aws-single-sign-on-provisioning-tutorial.md) on how to configure automatic user provisioning.

-* Click on **Test this application** in Azure portal. This will redirect to AWS Single Sign-On sign-in URL where you can initiate the login flow.

-* Go to AWS Single Sign-On sign-in URL directly and initiate the login flow from there.

-* Click on **Test this application** in Azure portal and you should be automatically signed in to the AWS Single Sign-On for which you set up the SSO.

-You can also use Microsoft My Apps to test the application in any mode. When you click the AWS Single Sign-On tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AWS Single Sign-On for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-Once you configure AWS Single Sign-On you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-If you have previously provisioned user identities from on-premise AD to Cisco Umbrella and would now like to provision the same users from Azure AD, you will need to synchronize the ObjectGUID attribute so that previously provisioned identities persist in the Umbrella reporting. You will need to reconfigure any Umbrella policy on groups after importing groups from Azure AD.

-* If you expand your VNET after creating the cluster you must update your cluster (perform any managed cluster operation but node pool operations don't count) before adding a subnet outside the original cidr. AKS will error out on the agent pool add now though we originally allowed it. The `aks-preview` Azure CLI extension (version 0.5.66+) now supports running `az aks update -g <resourceGroup> -n <clusterName>` without any optional arguments. This command will perform an update operation without making any changes, which can recover a cluster stuck in a failed state.

-| Australia East | x | x |

-| Australia Southeast | x | |

-| Brazil South | x | x |

-| Canada Central | x | x |

-| Canada East | x | |

-| Central India | x | x |

-| Central US | x | x |

-| East Asia | x | x |

-| East US | x | x |

-| East US 2 | x | x |

-| France Central | x | x |

-| Germany West Central | x | x |

-| Japan East | x | x |

-| Korea Central | x | x |

-| North Central US | x | |

-| North Europe | x | x |

-| Norway East | x | x |

-| South Africa North | x | x |

-| South Central US | x | x |

-| Southeast Asia | x | x |

-| Switzerland North | x | |

-| UAE North | x | |

-| UK South | x | x |

-| UK West | x | |

-| West Central US | x | |

-| West Europe | x | x |

-| West US | x | |

-| West US 2 | x | x |

-| West US 3 | x | x |

-When youΓÇÖre running a web application, you want to be prepared for any issues that may arise, from 500 errors to your users telling you that your site is down. App Service diagnostics is an intelligent and interactive experience to help you troubleshoot your app with no configuration required. When you do run into issues with your app, App Service diagnostics points out whatΓÇÖs wrong to guide you to the right information to more easily and quickly troubleshoot and resolve the issue.

-In the App Service diagnostics homepage, you can choose the category that best describes the issue with your app by using the keywords in each homepage tile. Also, this page is where you can find **Diagnostic Tools**. See [Diagnostic tools](#diagnostic-tools).

-

-## Interactive interface

-Once you select a homepage category that best aligns with your app's problem, App Service diagnostics' interactive interface, Genie, can guide you through diagnosing and solving problem with your app. You can use the tile shortcuts provided by Genie to view the full diagnostic report of the problem category that you are interested. The tile shortcuts provide you a direct way of accessing your diagnostic metrics.

-

-After clicking on these tiles, you can see a list of topics related to the issue described in the tile. These topics provide snippets of notable information from the full report. You can click on any of these topics to investigate the issues further. Also, you can click on **View Full Report** to explore all the topics on a single page.

-

-

-## Diagnostic report

-After you choose to investigate the issue further by clicking on a topic, you can view more details about the topic often supplemented with graphs and markdowns. Diagnostic report can be a powerful tool for pinpointing the problem with your app.

-

-## Health checkup

-If you don't know whatΓÇÖs wrong with your app or donΓÇÖt know where to start troubleshooting your issues, the health checkup is a good place to start. The health checkup analyzes your applications to give you a quick, interactive overview that points out whatΓÇÖs healthy and whatΓÇÖs wrong, telling you where to look to investigate the issue. Its intelligent and interactive interface provides you with guidance through the troubleshooting process. Health checkup is integrated with the Genie experience for Windows apps and web app down diagnostic report for Linux apps.

-### Health checkup graphs

-There are four different graphs in the health checkup.

-

-### Troubleshooting steps (only for Windows app)

-[Tutorial: Run a load test to identify performance bottlenecks in a web app](../load-testing/tutorial-identify-bottlenecks-azure-portal.md)

-The following table describes the scenarios that are currently supported for Azure Arc-enabled data services.

-|Azure Regions |Direct connected mode |Indirect connected mode |

-||||

-|East US | Available | Available

-|East US 2|Available|Available

-|West US|Available|Available

-|West US 2|Available|Available

-|West US 3|Available|Available

-|North Central US | Available | Available

-|Central US|Available|Available

-|South Central US|Available|Available

-|UK South|Available|Available

-|France Central|Available|Available

-|West Europe |Available |Available

-|North Europe|Available|Available

-|Japan East|Available|Available

-|Korea Central|Available|Available

-|Southeast Asia|Available|Available

-|Australia East|Available|Available

-|Canada Central|Available|Available

-|Kublr |1.22.0 / 1.20.12 |v1.1.0_2021-11-02 |15.0.2195.191 |PostgreSQL 12.3 (Ubuntu 12.3-1) |

-### WindRiver

-|WindRiver| v1.23.1|v1.9.0_2022-07-12 |16.0.312.4243|postgres 12.3 (Ubuntu 12.3-1) |

- * If you want to connect a OpenShift cluster to Azure Arc, you need to execute the following command just once on your cluster before running `New-AzConnectedKubernetes`:

-The value for this setting indicates a custom package index URL for Python apps. Use this setting when you need to run a remote build using custom dependencies that are found in an extra package index.

-To learn more, see [Custom dependencies](functions-reference-python.md#remote-build-with-extra-index-url) in the Python developer reference.

-description: Learn how to use Azure portal, CLI or PowerShell to create, view and manage classic metric alert rules.

-Classic metric alerts in Azure Monitor provide a way to get notified when one of your metrics cross a threshold. Classic metric alerts is an older functionality that allows for alerting only on non-dimensional metrics. There is an existing newer functionality called Metric alerts which has improved functionality over classic metric alerts. You can learn more about the new metric alerts functionality in [metric alerts overview](./alerts-metric-overview.md). In this article, we will describe how to create, view and manage classic metric alert rules through Azure portal, Azure CLI and PowerShell.

-## With Azure CLI

-The previous sections described how to create, view and manage metric alert rules using Azure portal. This section will describe how to do the same using cross-platform [Azure CLI](/cli/azure/get-started-with-azure-cli). Quickest way to start using Azure CLI is through [Azure Cloud Shell](../../cloud-shell/overview.md).

-### Get all classic metric alert rules in a resource group

-```azurecli

-az monitor alert list --resource-group <group name>

-```

-### See details of a particular classic metric alert rule

-```azurecli

-az monitor alert show --resource-group <group name> --name <alert name>

-```

-### Create a classic metric alert rule

-```azurecli

-az monitor alert create --name <alert name> --resource-group <group name> \

- --action email <email1 email2 ...> \

- --action webhook <URI> \

- --target <target object ID> \

- --condition "<METRIC> {>,>=,<,<=} <THRESHOLD> {avg,min,max,total,last} ##h##m##s"

-```

-### Delete a classic metric alert rule

-```azurecli

-az monitor alert delete --name <alert name> --resource-group <group name>

-```

-|Azure CLI | [az monitor alert](/cli/azure/monitor/metrics/alert) | [az monitor metrics alert](/cli/azure/monitor/metrics/alert) |

-description: Learn which metrics are commonly used for autoscaling your Cloud Services, Virtual Machines and Web Apps.

-Azure Monitor autoscaling allows you to scale the number of running instances up or down, based on telemetry data (metrics). This document describes common metrics that you might want to use. In the Azure portal, you can choose the metric of the resource to scale by. However, you can also choose any metric from a different resource to scale by.

-Azure Monitor autoscale applies only to [Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/), [Cloud Services](https://azure.microsoft.com/services/cloud-services/), [App Service - Web Apps](https://azure.microsoft.com/services/app-service/web/), and [API Management services](../../api-management/api-management-key-concepts.md). Other Azure services use different scaling methods.

-By default, Resource Manager-based Virtual Machines and Virtual Machine Scale Sets emit basic (host-level) metrics. In addition, when you configure diagnostics data collection for an Azure VM and VMSS, the Azure diagnostic extension also emits guest-OS performance counters (commonly known as "guest-OS metrics"). You use all these metrics in autoscale rules.

-You can use the `Get MetricDefinitions` API/PoSH/CLI to view the metrics available for your VMSS resource.

-If you're using VM scale sets and you don't see a particular metric listed, then it is likely *disabled* in your diagnostics extension.

-If a particular metric is not being sampled or transferred at the frequency you want, you can update the diagnostics configuration.

-If either preceding case is true, then review [Use PowerShell to enable Azure Diagnostics in a virtual machine running Windows](../../virtual-machines/extensions/diagnostics-windows.md) about PowerShell to configure and update your Azure VM Diagnostics extension to enable the metric. That article also includes a sample diagnostics configuration file.

-The following host-level metrics are emitted by default for Azure VM and VMSS in both Windows and Linux instances. These metrics describe your Azure VM, but are collected from the Azure VM host rather than via agent installed on the guest VM. You may use these metrics in autoscaling rules.

-When you create a VM in Azure, diagnostics is enabled by using the Diagnostics extension. The diagnostics extension emits a set of metrics taken from inside of the VM. This means you can autoscale off of metrics that are not emitted by default.

-| Metric Name | Unit |

-When you create a VM in Azure, diagnostics is enabled by default by using Diagnostics extension.

-| Metric Name | Unit |

-## Commonly used App Service (Server Farm) metrics

-You can also perform autoscale based on common web server metrics such as the Http queue length. Its metric name is **HttpQueueLength**. The following section lists available server farm (App Service) metrics.

-You can generate a list of the Web Apps metrics by using the following command in PowerShell.

-| Metric Name | Unit |

-You can scale by Storage queue length, which is the number of messages in the storage queue. Storage queue length is a special metric and the threshold is the number of messages per instance. For example, if there are two instances and if the threshold is set to 100, scaling occurs when the total number of messages in the queue is 200. That can be 100 messages per instance, 120 and 80, or any other combination that adds up to 200 or more.

-Configure this setting in the Azure portal in the **Settings** blade. For VM scale sets, you can update the Autoscale setting in the Resource Manager template to use *metricName* as *ApproximateMessageCount* and pass the ID of the storage queue as *metricResourceUri*.

-For example, with a Classic Storage Account the autoscale setting metricTrigger would include:

-For a (non-classic) storage account, the metricTrigger would include:

-You can scale by Service Bus queue length, which is the number of messages in the Service Bus queue. Service Bus queue length is a special metric and the threshold is the number of messages per instance. For example, if there are two instances and if the threshold is set to 100, scaling occurs when the total number of messages in the queue is 200. That can be 100 messages per instance, 120 and 80, or any other combination that adds up to 200 or more.

-For VM scale sets, you can update the Autoscale setting in the Resource Manager template to use *metricName* as *ApproximateMessageCount* and pass the ID of the storage queue as *metricResourceUri*.

-> For Service Bus, the resource group concept does not exist but Azure Resource Manager creates a default resource group per region. The resource group is usually in the 'Default-ServiceBus-[region]' format. For example, 'Default-ServiceBus-EastUS', 'Default-ServiceBus-WestUS', 'Default-ServiceBus-AustraliaEast' etc.

-description: Learn how to scale your web app is custom metric in the Azure portal

-# Customer intent: As a user or dev ops administrator I want to use the portal to set up autoscale so I can scale my resources.

-# How to autoscale a web app using custom metrics.

-This article describes how to set up autoscale for a web app using a custom metric in the Azure portal.

-Autoscale allows you to add and remove resources to handle increases and decreases in load. In this article we'll show you how to set up autoscale for a web app, using one of the Application Insights metrics to scale the web app in and out.

-+ [Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/)

-+ [Cloud Services](https://azure.microsoft.com/services/cloud-services/)

-+ [App Service - Web Apps](https://azure.microsoft.com/services/app-service/web/)

-+ [Azure Data Explorer Cluster](https://azure.microsoft.com/services/data-explorer/)

-+ Integration Service Environment and [API Management services](../../api-management/api-management-key-concepts.md).

-## Prerequisites

-An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

-To create an autoscaled web app, follow the steps below.

-1. If you do not already have one, [Create an App Service Plan](#create-an-app-service-plan). Note that you can't set up autoscale for free or basic tiers.

-1. If you do not already have one, [Create a web app](#create-a-web-app) using your service plan.

-

-## Create an App Service Plan

-An App Service plan defines a set of compute resources for a web app to run on.

- :::image type="content" source="media\autoscale-custom-metric\search-app-service-plan.png" alt-text="Screenshot of the search bar, searching for app service plans.":::

-1. Select **Create** from the **App Service plan** page.

-1. Select an **Sku and size**.

- > You cannot use autoscale with free or basic tiers.

-1. Select **Review + create**, then **Create**.

- :::image type="content" source="media\autoscale-custom-metric\create-app-service-plan.png" alt-text="Screenshot of the Basics tab of the Create App Service Plan screen that you configure the App Service plan on.":::

-1. Search for and select *App services*.

- :::image type="content" source="media\autoscale-custom-metric\search-app-services.png" alt-text="Screenshot of the search bar, searching for app service.":::

-1. Select **Create** from the **App Services** page.

-1. Select the **Operating System** and **Region** that you chose when defining your App Service plan.

-1. Select the **Monitoring** tab from the menu bar.

- :::image type="content" source="media\autoscale-custom-metric\create-web-app.png" alt-text="Screenshot of the Basics tab of the Create web app page where you set up a web app.":::

-1. Select **Review + create**, then **Create**.

- :::image type="content" source="media\autoscale-custom-metric\enable-application-insights.png"alt-text="Screenshot of the Monitoring tab of the Create web app page where you enable Application Insights.":::

-1. Search and select *autoscale* in the search bar or select **Autoscale** under **Monitor** in the side menu bar.

- :::image type="content" source="media\autoscale-custom-metric\autoscale-overview-page.png" alt-text="A screenshot of the autoscale landing page where you select the resource to set up autoscale for.":::

-### Set up a scale out rule

-Set up a scale out rule so that Azure spins up an additional instance of the web app, when your web app is handling more than 70 sessions per instance.

-1. In the **Rules** section of the default scale condition, select **Add a rule**.

- :::image type="content" source="media/autoscale-custom-metric/autoscale-settings.png" alt-text="A screenshot of the autoscale settings page where you set up the basic autoscale settings.":::

-1. From **Resource Type**, select **Application Insights**.

-1. Select a **Metric name** to base your scaling on, for example *Sessions*.

-1. Select **Enable metric divide by instance count** so that the number of sessions per instance is measured.

-1. 1. From the **Operator** dropdown, select **Greater than**.

-1. Enter the **Metric threshold to trigger the scale action**, for example, *70*.

-1. Under **Actions**, set the **Operation** to *Increase count* and set the **Instance count** to *1*.

- :::image type="content" source="media/autoscale-custom-metric/scale-out-rule.png" alt-text="A screenshot of the Scale rule page where you configure the scale out rule.":::

-### Set up a scale in rule

-Set up a scale in rule so Azure spins down one of the instances when the number of sessions your web app is handling is less than 60 per instance. Azure will reduce the number of instances each time this rule is run until the minimum number of instances is reached.

-1. In the **Rules** section of the default scale condition, select **Add a rule**.

-1. From **Resource Type**, select **Application Insights**.

-1. Select a **Metric name** to base your scaling on, for example *Sessions*.

-1. Select **Enable metric divide by instance count** so that the number of sessions per instance is measured.

-1. Enter the **Metric threshold to trigger the scale action**, for example, *60*.

-1. Under **Actions**, set the **Operation** to **Decrease count** and set the **Instance count** to *1*.

- :::image type="content" source="media/autoscale-custom-metric/scale-in-rule.png" alt-text="A screenshot of the Scale rule page where you configure the scale in rule.":::

-1. Set the maximum number of instances that can be spun up in the **Maximum** field of the **Instance limits** section, for example, *4*.

- :::image type="content" source="media/autoscale-custom-metric/autoscale-instance-limits.png" alt-text="A screenshot of the autoscale settings page where you set up instance limits.":::

-If you're not going to continue to use this application, delete

-resources with the following steps:

-1. From the App service overview page, select **Delete**.

- :::image type="content" source="media/autoscale-custom-metric/delete-web-app.png" alt-text="A screenshot of the App Service page where you can Delete the web app.":::

-1. From The App Service Plan page, select **Delete**. The autoscale settings are deleted along with the App Service plan.

- :::image type="content" source="media/autoscale-custom-metric/delete-service-plan.png" alt-text="A screenshot of the App Service plan page where you can Delete the app service plan.":::

-Learn more about autoscale by referring to the following articles:

-# Get started with Autoscale in Azure

-This article describes how to set up your Autoscale settings for your resource in the Microsoft Azure portal.

-Azure Monitor autoscale applies only to [Virtual Machine scale sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/), [Cloud Services](https://azure.microsoft.com/services/cloud-services/), [App Service - Web Apps](https://azure.microsoft.com/services/app-service/web/), and [API Management services](../../api-management/api-management-key-concepts.md).

-## Discover the Autoscale settings in your subscription

-You can discover all the resources for which Autoscale is applicable in Azure Monitor. Use the following steps for a step-by-step walkthrough:

-1. Click the Azure Monitor icon on the top of the page.

- [](./media/autoscale-get-started/click-on-monitor-1.png#lightbox)

-1. Click **Autoscale** to view all the resources for which Autoscale is applicable, along with their current Autoscale status.

- [](./media/autoscale-get-started/click-on-autoscale-2.png#lightbox)

-

-You can use the filter pane at the top to scope down the list to select resources in a specific resource group, specific resource types, or a specific resource.

-[](./media/autoscale-get-started/view-all-resources-3.png#lightbox)

-For each resource, you will find the current instance count and the Autoscale status. The Autoscale status can be:

-Additionally, you can reach the scaling page by clicking on **All Resources** on the home page and filter to the resource you're interested in scaling.

-[](./media/autoscale-get-started/choose-all-resources.png#lightbox)

-Once you've selected the resource that you're interested in, select the **Scaling** tab to configure autoscaling rules.

-[](./media/autoscale-get-started/scaling-page.png#lightbox)

-## Create your first Autoscale setting

-Let's now go through a simple step-by-step walkthrough to create your first Autoscale setting.

-1. Open the **Autoscale** blade in Azure Monitor and select a resource that you want to scale. (The following steps use an App Service plan associated with a web app. You can [create your first ASP.NET web app in Azure in 5 minutes.][5])

-1. Note that the current instance count is 1. Click **Custom autoscale**.

- [](./media/autoscale-get-started/manual-scale-04.png#lightbox)

-1. Provide a name for the scale setting, and then click **Add a rule**. This opens as a context pane on the right side. By default, this sets the option to scale your instance count by 1 if the CPU percentage of the resource exceeds 70 percent. Leave it at its default values and click **Add**.

- [](./media/autoscale-get-started/custom-scale-add-rule-05.png#lightbox)

-1. You've now created your first scale rule. Note that the UX recommends best practices and states that "It is recommended to have at least one scale in rule." To do so:

- a. Click **Add a rule**.

- b. Set **Operator** to **Less than**.

- c. Set **Threshold** to **20**.

- d. Set **Operation** to **Decrease count by**.

- You should now have a scale setting that scales out/scales in based on CPU usage.

- [](./media/autoscale-get-started/custom-scale-results-06.png#lightbox)

-1. Click **Save**.

-> The same steps are applicable to get started with a Virtual Machine Scale Set or cloud service role.

-In addition to scale based on CPU, you can set your scale differently for specific days of the week.

-1. Click **Add a scale condition**.

-[](./media/autoscale-get-started/scale-same-based-on-condition-07.png#lightbox)

-In addition to scale based on CPU, you can set your scale differently for specific dates.

-1. Click **Add a scale condition**.

-[](./media/autoscale-get-started/scale-different-based-on-time-08.png#lightbox)

-![Run history][12]

-If you want to view the complete scale history (for up to 90 days), select **Click here to see more details**. The activity log opens, with Autoscale pre-selected for your resource and category.

-Autoscale is an Azure Resource Manager resource. You can view the scale definition in JSON by switching to the **JSON** tab.

-[](./media/autoscale-get-started/view-scale-definition-09.png#lightbox)

-You can make changes in JSON directly, if required. These changes will be reflected after you save them.

-Autoscale uses a cool-down period to prevent "flapping", which is the rapid, repetitive up and down scaling of instances. For more information, see [Autoscale evaluation steps](autoscale-understanding-settings.md#autoscale-evaluation). Other valuable information on flapping and understanding how to monitor the autoscale engine can be found in [Autoscale Best Practices](autoscale-best-practices.md#choose-the-thresholds-carefully-for-all-metric-types) and [Troubleshooting autoscale](autoscale-troubleshoot.md) respectively.

-When your Azure web app is scaled out to multiple instances, App Service can perform health checks on your instances to route traffic to the healthy instances. To learn more, see [this article on App Service Health check](../../app-service/monitor-instances-health-check.md).

-## Moving Autoscale to a different region

-This section describes how to move Azure autoscale to another region under the same Subscription, and Resource Group. You can use REST API to move autoscale settings.

-### Prerequisite

-1. Ensure that the subscription and Resource Group are available and the details in both the source and destination regions are identical.

-1. Ensure that Azure autoscale is available in the [Azure region you want to move to](https://azure.microsoft.com/global-infrastructure/services/?products=monitor&regions=all).

-[Diagnostic settings](../essentials/diagnostic-settings.md) that were created in association with the autoscale setting in the source region cannot be moved. You will need to recreate diagnostic settings in the destination region, after the creation of autosale settings is completed.

-To learn more about moving resources between regions and disaster recovery in Azure, refer to [Move resources to a new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md)

-description: Details on the new predictive autoscale feature in Azure Monitor.

-# Use predictive autoscale to scale out before load demands in virtual machine scale sets (Preview)

-**Predictive autoscale** uses machine learning to help manage and scale Azure Virtual Machine Scale Sets with cyclical workload patterns. It forecasts the overall CPU load to your virtual machine scale set, based on your historical CPU usage patterns. By observing and learning from historical usage, it predicts the overall CPU load ensuring scale-out occurs in time to meet the demand.

-Predictive autoscale needs a minimum of 7 days of history to provide predictions, though 15 days of historical data provides the most accurate results. It adheres to the scaling boundaries you have set for your virtual machine scale set. When the system predicts that the percentage CPU load of your virtual machine scale set will cross your scale-out boundary, new instances are added according to your specifications. You can also configure how far in advance you would like new instances to be provisioned, up to 1 hour before the predicted workload spike will occur.

-**Forecast only** allows you to view your predicted CPU forecast without actually triggering the scaling action based on the prediction. You can then compare the forecast with your actual workload patterns to build confidence in the prediction models before enabling the predictive autoscale feature.

-## Public preview support, availability and limitations

-> This is a public preview release. We are testing and gathering feedback for future releases. As such, we do not provide production level support for this feature. Support is best effort. Send feature suggestions or feedback on predicative autoscale to predautoscalesupport@microsoft.com.

-You have to enable standard (or reactive) autoscale to manage scale-in.

-Enabling predictive autoscale or forecast only with Azure portal

-1. Go to the virtual machine scale set screen and select on **Scaling**.

- :::image type="content" source="media/autoscale-predictive/main-scaling-screen-1.png" alt-text="Screenshot showing selecting the scaling screen from the left hand menu in Azure portal":::

-2. Under **Custom autoscale** section, there's a new field called **Predictive autoscale**.

- :::image type="content" source="media/autoscale-predictive/custom-autoscale-2.png" alt-text="Screenshot sowing selecting custom autoscale and then predictive autoscale option from Azure portal":::

- Using the drop-down selection, you can:

- - Disable predictive autoscale - Disable is the default selection when you first land on the page for predictive autoscale.

- - Enable forecast only mode

- - Enable predictive autoscale

- > [!NOTE]

- > Before you can enable predictive autoscale or forecast only mode, you must set up the standard reactive autoscale conditions.

-3. To enable forecast only, select it from the dropdown. Define a scale up trigger based on *Percentage CPU*. Then select **Save**. The same process applies to enable predictive autoscale. To disable predictive autoscale or forecast only mode, choose **Disable** from the drop-down.

- :::image type="content" source="media/autoscale-predictive/enable-forecast-only-mode-3.png" alt-text="Screenshot of enable forecast only mode":::

-4. If desired, specify a pre-launch time so the instances are full running before they're needed. You can pre-launch instances between 5 and 60 minutes before the needed prediction time.

- :::image type="content" source="media/autoscale-predictive/pre-launch-4.png" alt-text="Screenshot of predictive autoscale pre-launch setup":::

-5. Once you have enabled predictive autoscale or forecast only and saved it, select *Predictive charts*.

- :::image type="content" source="media/autoscale-predictive/predictve-charts-option-5.png" alt-text="Screenshot of selecting predictive charts menu option":::

-6. You see three charts:

- :::image type="content" source="media/autoscale-predictive/predictive-charts-6.png" alt-text="Screenshot of three charts for predictive autoscale" lightbox="media/autoscale-predictive/predictive-charts-6.png":::

-1. Retrieve the virtual machine scale set resource ID and resource group of your virtual machine scale set. For example: /subscriptions/e954e48d-abcd-abcd-abcd-3e0353cb45ae/resourceGroups/patest2/providers/Microsoft.Compute/virtualMachineScaleSets/patest2

-2. Update *autoscale_only_parameters* file with the virtual machine scale set resource ID and any autoscale setting parameters.

-3. Use a PowerShell command to deploy the template containing the autoscale settings. For example,

-

-For more information on Azure Resource Manager templates, see [Resource Manager template overview](../../azure-resource-manager/templates/overview.md)

-Prediction autoscale uses the history of a running virtual machine scale set. If your scale set has been running less than 7 days, you'll receive a message that the model is being trained. See the [no predictive data message](#errors-and-warnings). Predictions improve as time goes by achieving its maximum accuracy 15 days after the virtual machine scale set is created.

-If changes to the workload pattern occur (but remain periodic), the model recognizes the change and begins to adjust the forecast accordingly. The forecast improves as time goes by. Maximum accuracy is reached 15 days after the change in the traffic pattern happens. Remember that your standard autoscale rules still apply. If a new unpredicted increase in traffic occurs, your virtual machine scale set will still scale out to meet the demand.

-The modeling works best with workloads that exhibit periodicity. We recommended you first evaluate the predictions by enabling "forecast only" which will overlay the scale setΓÇÖs predicted CPU usage with the actual, observed usage. Once you compare and evaluate the results, you can then choose to enable scaling based on the predicted metrics if the model predictions are close enough for your scenario.

-### Why do I need to enable standard autoscale before enabling predictive autoscale?

-Standard autoscaling is a necessary fallback if the predictive model doesn't work well for your scenario. Standard autoscale will cover unexpected load spikes which aren't part of your typical CPU load pattern. It also provides a fallback should there be any error retrieving the predictive data.

-## Errors and Warnings

-

-You receive the error message as seen below:

- *Predictive autoscale is based on the metric percentage CPU of the current resource. Choose this metric in the scale up trigger rules*.

-You won't see data on the predictive charts under certain conditions. This isn't an error; it's the intended behavior.

-When predictive autoscale is disabled, you instead receive a message beginning with "No data to show..." and giving you instructions on what to enable so you can see a predictive chart.

- :::image type="content" source="media/autoscale-predictive/error-no-data-to-show.png" alt-text="Screenshot of message No data to show":::

-When you first create a virtual machine scale set and enable forecast only mode, you receive a message telling you "Predictive data is being trained.." and a time to return to see the chart.

- :::image type="content" source="media/autoscale-predictive/message-being-trained-12.png" alt-text="Screenshot of message Predictive data is being trained":::

-Learn more about Autoscale by referring to the following:

-[Transformations in Azure Monitor](/data-collection-transformations.md) allow you to filter or modify incoming data before it's stored in a Log Analytics workspace. They are implemented as a Kusto Query Language (KQL) statement in a [data collection rule (DCR)](data-collection-rule-overview.md). This article provides details on how this query is structured and limitations on the KQL language allowed.

-When defined outside of the parent resource, you format the type and with slashes to include the parent type and name.

-| identifier | This is the unique ID for the user, matching the identity assigned by the Communications Authentication service. You can use this ID to correlate user events across different logs. This ID can also be used to identify Microsoft Teams "Interoperability" scenarios described later in this document. |

-| identifier | This ID represents the user identity, as defined by the Authentication service. Use this ID to correlate different events across calls and services. |

-```

-| Identity | The Communication Services identity related to the operation. |

-| UserAgent | The user agent string from the client. |

-### Pricing example: A user of the Communication Services JavaScript SDK joins a scheduled Microsoft Teams meeting

-Alice is a doctor meeting with her patient, Bob. Alice will be joining the visit from the Teams Desktop application. Bob will receive a link to join using the healthcare provider website, which connects to the meeting using the Communication Services JavaScript SDK. Bob will use his mobile phone to enter the meeting using a web browser (iPhone with Safari). Chat will be available during the virtual visit.

-**Cost calculations**

-*Alice's participation is covered by her Teams license. Your Azure invoice will show the minutes and chat messages that Teams users had with Communication Services Users for your convenience, but those minutes and messages originating from the Teams client won't be charged.

-**Total cost for the visit**:

-### Pricing example: Inbound PSTN call to the Communication Services JavaScript SDK with Teams identity elevated to group call with another Teams user on Teams desktop client

-Alice has ordered a product from Contoso and struggles to set it up. Alice calls from her phone (Android) 800-CONTOSO to ask for help with the received product. Bob is a customer support agent in Contoso and sees an incoming call from Alice on the customer support website (Windows, Chrome browser). Bob accepts the incoming call via Communication Services JavaScript SDK initialized with Teams identity. Teams calling plan enables Bob to receive PSTN calls. Bob sees on the website the product ordered by Alice. Bob decides to invite product expert Charlie to the call. Charlie sees an incoming group call from Bob in the Teams Desktop client and accepts the call.

-**Cost calculations**

-*Charlie's participation is covered by his Teams license.

-**Total cost of the visit**:

-Communication Services APIs are documented alongside other [Azure REST APIs in docs.microsoft.com](/rest/api/azure/). This documentation will tell you how to structure your HTTP messages and offers guidance for using [Postman](../tutorials/postman-tutorial.md). REST interface documentation is also published in Swagger format on [GitHub](https://github.com/Azure/azure-rest-api-specs).

- - [Access storage accounts in same region with managed identities](#access-blob-storage-in-same-region-with-managed-identities)

-### Access Blob Storage in same region with managed identities

-> - You must set up a managed identity to authenticate your storage account connection.

-> - For Standard logic apps in the single-tenant Azure Logic Apps environment, only the system-assigned

-> managed identity is available and supported, not the user-assigned managed identity.

- --analytics-query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'nodeapp' and (Log_s contains 'persisted' or Log_s contains 'order') | project ContainerAppName_s, Log_s, TimeGenerated | take 5" \

- --out table

- --analytics-query "ContainerAppConsoleLogs_CL | where ContainerAppName_s == 'nodeapp' and (Log_s contains 'persisted' or Log_s contains 'order') | project ContainerAppName_s, Log_s, TimeGenerated | take 5" `

-# Use a query in Azure Cosmos DB MongoDB API using JavaScript

-Use queries to find documents in a collection.

-In this quickstart, you create and manage an Azure Cosmos DB SQL API account from the Azure portal, and by using a Java app cloned from GitHub. First, you create an Azure Cosmos DB SQL API account using the Azure portal, then create a Java app using the SQL Java SDK, and then add resources to your Cosmos DB account by using the Java application. Azure Cosmos DB is a multi-model database service that lets you quickly create and query document, table, key-value, and graph databases with global distribution and horizontal scale capabilities.

-In this quickstart, you create and manage an Azure Cosmos DB SQL API account from the Azure portal, and by using a Node.js app cloned from GitHub. Azure Cosmos DB is a multi-model database service that lets you quickly create and query document, table, key-value, and graph databases with global distribution and horizontal scale capabilities.

-This tutorial is a quick start guide to show how to use Cosmos DB Spark Connector to read from or write to Cosmos DB. Cosmos DB Spark Connector supports Spark 3.1.x and 3.2.x.

-* An active Azure account. If you don't have one, you can sign up for a [free account](https://azure.microsoft.com/try/cosmosdb/). Alternatively, you can use the [use Azure Cosmos DB Emulator](../local-emulator.md) for development and testing.

-In this quickstart, you create and manage an Azure Cosmos DB SQL API account from the Azure portal, and by using a Spring Data Azure Cosmos DB v3 app cloned from GitHub. First, you create an Azure Cosmos DB SQL API account using the Azure portal, then create a Spring Boot app using the Spring Data Azure Cosmos DB v3 connector, and then add resources to your Cosmos DB account by using the Spring Boot application. Azure Cosmos DB is a multi-model database service that lets you quickly create and query document, table, key-value, and graph databases with global distribution and horizontal scale capabilities.

-Azure Cosmos DB is MicrosoftΓÇÖs fast NoSQL database with open APIs for any scale. You can use Azure Cosmos DB to quickly create and query key/value databases, document databases, and graph databases. This quickstart focuses on the process of deploying an Azure Resource Manager template (ARM template) to create an Azure Cosmos database and a container within that database. You can later store data in this container.

-Get started with the Azure Cosmos DB client library for .NET to create databases, containers, and items within your account. Follow these steps to install the package and try out example code for basic tasks.

-* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

-* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

-This Java web application tutorial shows you how to use the [Microsoft Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/) service to store and access data from a Java application hosted on Azure App Service Web Apps. In this article, you will learn:

-* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

-As a developer, you might have applications that use NoSQL document data. You can use a SQL API account in Azure Cosmos DB to store and access this document data. This tutorial shows you how to build a Node.js console application to create Azure Cosmos DB resources and query them.

-* An active Azure account. If you don't have one, you can sign up for a [Free Azure Trial](https://azure.microsoft.com/pricing/free-trial/).

- - Microsoft Customer Agreement (MCA) in the Enterprise motion when you buy Azure services through a Microsoft representative and individual MCA when you buy Azure services through Azure.com

-This Amazon Marketplace Web Service connector is supported for the following activities:

-You can copy data from Amazon Marketplace Web Service to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Asana connector is supported for the following activities:

-This Concur connector is supported for the following activities:

-You can copy data from Concur to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This data.world connector is supported for the following activities:

-This Dynamics AX connector is supported for the following activities:

-You can copy data from Dynamics AX to any supported sink data store. For a list of data stores that Copy Activity supports as sources and sinks, see [Supported data stores and formats](copy-activity-overview.md#supported-data-stores-and-formats).

-You can copy data from Dynamics 365 (Microsoft Dataverse) or Dynamics CRM to any supported sink data store. You also can copy data from any supported source data store to Dynamics 365 (Microsoft Dataverse) or Dynamics CRM. For a list of data stores that a copy activity supports as sources and sinks, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Google AdWords connector is supported for the following activities:

-You can copy data from Google AdWords to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-The recommendation `Running container images should have vulnerability findings resolved` shows vulnerabilities for running images by using the scan results from ACR registries and information on running images from the Defender security profile/extension. Images that are deployed from a non-ACR registry, will appear under the Not applicable tab.

-Defender for Containers provides real-time threat protection for your containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers. Threat protection at the cluster level is provided by the Defender profile and analysis of the Kubernetes audit logs. Examples of events at this level include exposed Kubernetes dashboards, creation of high-privileged roles, and the creation of sensitive mounts.

-| Compliance | Docker CIS | VM, VMSS | GA | - | Log Analytics agent | Defender for Servers Plan 2 | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

-### Outbound proxy support

-Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.

-### Outbound proxy support

-Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.

-### Outbound proxy support

-Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.

-1. Select **I accept the terms** option, and then select **Save**.

-|**Enterprise IoT networks** | - [Enterprise IoT purchase experience and Defender for Endpoint integration in GA](#enterprise-iot-purchase-experience-and-defender-for-endpoint-integration-in-ga) |

-### Enterprise IoT purchase experience and Defender for Endpoint integration in GA

-Defender for IoTΓÇÖs new purchase experience and the Enterprise IoT integration with Microsoft Defender for Endpoint is now in General Availability (GA). With this update, we've made the following updates and improvements:

-> Microsoft Graph API's (MGA) ability to send events to Even Grid (a generally available service) is in private preview. In the following steps, you will follow instructions from [Node.js](https://github.com/microsoftgraph/nodejs-webhooks-sample), [Java](https://github.com/microsoftgraph/java-spring-webhooks-sample), and[.NET Core](https://github.com/microsoftgraph/aspnetcore-webhooks-sample) Webhook samples to enable flow of events from Microsoft Graph API. At some point in the sample, you will have an application registered with Azure AD. Email your application ID to <a href="mailto:ask.graph.and.grid@microsoft.com?subject=Please allow my application ID">mailto:ask.graph.and.grid@microsoft.com?subject=Please allow my Azure AD application with ID to send events through Graph API</a> so that the Microsoft Graph API team can add your application ID to allow list to use this new capability.

-Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed, which includes multiple sources including the Microsoft Cyber Security team. [Intelligent Security Graph](https://www.microsoft.com/security/operations/intelligence) powers Microsoft threat intelligence and is used by multiple services including Microsoft Defender for Cloud.<br>

-2. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups* from any page. Then select **Add**.

-1. For **Resource group name**, enter *Test-FW-RG*.

-This VNet will have three subnets.

-1. Select **Create**.

-1. For **IPv4 Address space**, type **10.0.0.0/16**.

-1. Under **Subnet**, select **default**.

-1. For **Subnet name** type **AzureFirewallSubnet**. The firewall will be in this subnet, and the subnet name **must** be AzureFirewallSubnet.

-1. For **Address range**, type **10.0.1.0/26**.

-2. Select **Windows Server 2016 Datacenter**.

- |Image|Windows Server 2016 Datacenter|

-12. Select **Disable** to disable boot diagnostics. Accept the other defaults and select **Review + create**.

-1. On the Azure portal menu, select **All services** or search for and select *All services* from any page.

-2. Under **Networking**, select **Route tables**.

-3. Select **Add**.

-1. On the Firewall-route page, select **Subnets** and then select **Associate**.

-16. For **Address prefix**, type **0.0.0.0/0**.

-17. For **Next hop type**, select **Virtual appliance**.

- These are public DNS servers operated by CenturyLink.

-11. For **Translated address**, type the **Srv-work** private IP address.

-1. Connect a remote desktop to firewall public IP address and sign in to the **Srv-Work** virtual machine.

-3. Open Internet Explorer and browse to `https://www.google.com`.

-|[Azure Cache for Redis should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7803067c-7d34-46e3-8c79-0ca68fc4036d) |Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced. Learn more at: [https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link](https://docs.microsoft.com/azure/azure-cache-for-redis/cache-private-link). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_PrivateEndpoint_AuditIfNotExists.json) |

-|[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](https://docs.microsoft.com/azure/key-vault/general/network-security) |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) |

-|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F40cec1dd-a100-4920-b15b-3024fe8901ab) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit.json) |

-|[VM Image Builder templates should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2154edb9-244f-4741-9970-660785bccdaa) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet](https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet). |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) |

-|[Cosmos DB database accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5450f5bd-9c72-4390-a9c4-a7aba4edfdd2) |Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: [https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth](https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_DisableLocalAuth_AuditDeny.json) |

-|[Authentication to Linux machines should require SSH keys](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F630c64f9-8b6b-4c64-b511-6544ceff6fd6) |Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys. Learn more: [https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed](https://docs.microsoft.com/azure/virtual-machines/linux/create-ssh-keys-detailed). |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json) |

-|[Azure Key Vault should have firewall enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: [https://docs.microsoft.com/azure/key-vault/general/network-security](https://docs.microsoft.com/azure/key-vault/general/network-security) |Audit, Deny, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) |

-|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) |Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc). |AuditIfNotExists, Disabled |[6.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) |

-|[Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks) |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) |

-|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) |Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-enable?pivots=defender-for-container-arc). |AuditIfNotExists, Disabled |[6.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) |

-|[Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks](https://docs.microsoft.com/azure/defender-for-cloud/defender-for-containers-introduction?tabs=defender-for-container-arch-aks) |Audit, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) |

-|[Endpoint protection health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2) |Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here - [https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions](https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions). Endpoint protection assessment is documented here - [https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection](https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EndpointProtectionHealthIssuesShouldBeResolvedOnYourMachines_Audit.json) |

-### Ensure ASC Default policy setting "Monitor Endpoint Protection" is not "Disabled"

-**ID**: CIS Microsoft Azure Foundations Benchmark recommendation 2.5

-|[Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffa298e57-9444-42ba-bf04-86e8470e32c7) |Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see [/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries](/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsWorkspaces_CMKBYOSQueryEnabled_Deny.json) |

-|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) |

-|[Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffa298e57-9444-42ba-bf04-86e8470e32c7) |Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries](https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsWorkspaces_CMKBYOSQueryEnabled_Deny.json) |

-|[Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd550e854-df1a-4de9-bf44-cd894b39a95e) |Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ApplicationInsightsComponent_WorkspaceAssociation_Deny.json) |

-|[Resource logs in Azure Key Vault Managed HSM should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa2a5b911-5617-447e-a49e-59dbe0e0434b) |To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs. Please follow the instructions here: [https://docs.microsoft.com/azure/key-vault/managed-hsm/logging](https://docs.microsoft.com/azure/key-vault/managed-hsm/logging). |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/ManagedHsm_AuditDiagnosticLog_Audit.json) |

-|[Azure Monitor Logs clusters should be encrypted with customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f68a601-6e6d-4e42-babf-3f643a047ea2) |Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see [https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys](https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys). |audit, Audit, deny, Deny, disabled, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalyticsClusters_CMKEnabled_Deny.json) |

-To be able to successfully setup Azure Monitor integration with HDInsight, behind a firewall, some customers may need to enable the following endpoints:

-HDInsight provides cluster-specific management solutions that you can add for Azure Monitor logs. [Management solutions](../azure-monitor/insights/solutions.md) add functionality to Azure Monitor logs, providing more data and analysis tools. These solutions collect important performance metrics from your HDInsight clusters. And provide the tools to search the metrics. These solutions also provide visualizations and dashboards for most cluster types supported in HDInsight. By using the metrics that you collect with the solution, you can create custom monitoring rules and alerts.

-description: Set up Hadoop, Kafka, Spark, HBase, or Storm clusters for HDInsight from a browser, the Azure classic CLI, Azure PowerShell, REST, or SDK.

-Learn how to set up and configure Apache Hadoop, Apache Spark, Apache Kafka, Interactive Query, Apache HBase, or Apache Storm in HDInsight. Also, learn how to customize clusters and add security by joining them to a domain.

-> [!IMPORTANT]

-> [!IMPORTANT]

-> HDInsight clusters are available in various types, each for a single workload or technology. There is no supported method to create a cluster that combines multiple types, such as Storm and HBase on one cluster. If your solution requires technologies that are spread across multiple HDInsight cluster types, an [Azure virtual network](../virtual-network/index.yml) can connect the required cluster types.

-| [Storm](storm/apache-storm-overview.md) |Real-time event processing |

-* Characters not allowed: #;."',\/:`!*?$(){}[]<>|&--=+%~^space

-* Characters not allowed: #;."',\/:`!*?$(){}[]<>|&--=+%~^space

-* Reserved names: hadoop, users, oozie, hive, mapred, ambari-qa, zookeeper, tez, hdfs, sqoop, yarn, hcat, ams, hbase, storm, administrator, admin, user, user1, test, user2, test1, user3, admin1, 1, 123, a, actuser, adm, admin2, aspnet, backup, console, david, guest, john, owner, root, server, sql, support, support_388945a0, sys, test2, test3, user4, user5, spark

-> [!WARNING]

-> [!Note]

-> [!IMPORTANT]

-> [!IMPORTANT]

-| Storm |Nimbus node (2), supervisor server (1+), ZooKeeper node (3) |:::image type="content" source="./media/hdinsight-hadoop-provision-linux-clusters/hdinsight-storm-cluster-type-setup.png" alt-text="HDInsight storm cluster type setup" border="false"::: |

- * Two *head nodes*

- * Four *Worker nodes*

-* Storm cluster type default:

- * Two *Nimbus nodes*

- * Three *ZooKeeper nodes*

- * Four *supervisor nodes*

-> [!NOTE]

-> [!IMPORTANT]

-An HDInsight application is an application that users can install on a Linux-based HDInsight cluster. You can use applications provided by Microsoft, third parties, or that you develop yourself. For more information, see [Install third-party Apache Hadoop applications on Azure HDInsight](hdinsight-apps-install-applications.md).

-> [!NOTE]

->

-* clusterIdentity.xml

-* core-site.xml

-* gateway.xml

-* hbase-env.xml

-* hbase-site.xml

-* hdfs-site.xml

-* hive-env.xml

-* hive-site.xml

-* mapred-site

-* oozie-site.xml

-* oozie-env.xml

-* storm-site.xml

-* tez-site.xml

-* webhcat-site.xml

-* yarn-site.xml

-> New Azure Montitor integration is in Public Preview. It is only available in East US and West Europe regions.

-**Selective Logging (releasing soon)**: There are logs and metrics available through Log Analytics. To help you save on monitoring costs, we'll be releasing a new selective logging feature. Use this feature to turn on and off different logs and metric sources. With this feature, you'll only have to pay for what you use.

-description: The FHIR service enables rapid exchange of data through FHIR APIs. Ingest, manage, and persist Protected Health Information PHI with a managed cloud service.

-# What is FHIR&reg; service?

-FHIR service in Azure Health Data Services (hereby called the FHIR service) enables rapid exchange of data through Fast Healthcare Interoperability Resources (FHIR®) APIs, backed by a managed Platform-as-a Service (PaaS) offering in the cloud. It makes it easier for anyone working with health data to ingest, manage, and persist Protected Health Information [PHI](https://www.hhs.gov/answers/hipaa/what-is-phi/https://docsupdatetracker.net/index.html) in the cloud:

-FHIR service allows you to create and deploy a FHIR server in just minutes to leverage the elastic scale of the cloud. The Azure services that power the FHIR service are designed for rapid performance no matter what size datasets you're managing.

-The FHIR API and compliant data store enable you to securely connect and interact with any system that utilizes FHIR APIs. Microsoft takes on the operations, maintenance, updates, and compliance requirements in the PaaS offering, so you can free up your own operational and development resources.

-The healthcare industry is rapidly transforming health data to the emerging standard of [FHIR&reg;](https://hl7.org/fhir) (Fast Healthcare Interoperability Resources). FHIR enables a robust, extensible data model with standardized semantics and data exchange that enables all systems using FHIR to work together. Transforming your data to FHIR allows you to quickly connect existing data sources such as the electronic health record systems or research databases. FHIR also enables the rapid exchange of data in modern implementations of mobile and web development. Most importantly, FHIR can simplify data ingestion and accelerate development with analytics and machine learning tools.

-FHIR service allows for the exchange of data via consistent, RESTful, FHIR APIs based on the HL7 FHIR specification. Backed by a managed PaaS offering in Azure, it also provides a scalable and secure environment for the management and storage of Protected Health Information (PHI) data in the native FHIR format.

-You could invest resources building and running your own FHIR server, but with FHIR service in Azure Health Data Services, Microsoft takes on the workload of operations, maintenance, updates and compliance requirements, allowing you to free up your own operational and development resources.

-Using the FHIR service enables to you connect with any system that leverages FHIR APIs for read, write, search, and other functions. It can be used as a powerful tool to consolidate, normalize, and apply machine learning with clinical data from electronic health records, clinician and patient dashboards, remote monitoring programs, or with databases outside of your system that have FHIR APIs.

-You control your data. Role-based access control (RBAC) enables you to manage how your data is stored and accessed. Providing increased security and reducing administrative workload, you determine who has access to the datasets you create, based on role definitions you create for your environment.

-Protect your PHI with unparalleled security intelligence. Your data is isolated to a unique database per API instance and protected with multi-region failover. FHIR service implements a layered, in-depth defense and advanced threat protection for your data.

-FHIR servers are key tools for interoperability of health data. The FHIR service is designed as an API and service that you can create, deploy, and begin using quickly. As the FHIR standard expands in healthcare, use cases will continue to grow, but some initial customer applications where FHIR service is useful are below:

-Exchange of data via the FHIR service provides audit logs and access controls that help control the flow of data and who has access to what data types.

-## FHIR from Microsoft

-* The FHIR service in Azure Health Data Services is a platform as a service (PaaS) offering in Azure that's easily provisioned in the Azure portal and managed by Microsoft. Includes the ability to provision other datasets, such as DICOM in the same workspace.

-* Azure API for FHIR - A PaaS offering in Azure, easily provisioned in the Azure portal and managed by Microsoft. This implementation only includes FHIR data and is a GA product.

-* FHIR Server for Azure ΓÇô an open-source project that can be deployed into your Azure subscription, available on GitHub at https://github.com/Microsoft/fhir-server.

-For use cases that requires extending or customizing FHIR server or require access the underlying servicesΓÇösuch as the databaseΓÇöwithout going through the FHIR APIs, developers should choose the open-source FHIR Server for Azure. For implementation of a turn-key, production-ready FHIR API and backend service where persisted data should only be accessed through the FHIR API, developers should choose FHIR service.

-To start working with the FHIR service, follow the 5-minute quickstart to deploy FHIR service.

-description: This article provides an overview of the OPC Publisher Command-line Arguments

-# Command-line Arguments

-In the following, there are several Command-line Arguments described that can be used to set global settings for OPC Publisher.

-## OPC Publisher Command-line Arguments for Version 2.5 and below

-* Usage: opcpublisher.exe \<applicationname> [\<iothubconnectionstring>] [\<options>]

-

-* applicationname: the OPC UA application name to use, required

- The application name is also used to register the publisher under this name in the

- IoT Hub device registry.

-

-* iothubconnectionstring: the IoT Hub owner connectionstring, optional. Typically you specify the IoTHub owner connectionstring only on the first start of the application. The connection string is encrypted and stored in the platforms certificate store.

-On subsequent calls, it's read from there and reused. If you specify the connectionstring on each start, the device, which is created for the application in the IoT Hub device registry is removed and recreated each time.

-

-There are a couple of environment variables, which can be used to control the application:

-```

- _HUB_CS: sets the IoTHub owner connectionstring

- _GW_LOGP: sets the filename of the log file to use

- _TPC_SP: sets the path to store certificates of trusted stations

- _GW_PNFP: sets the filename of the publishing configuration file

-```

-> [!NOTE]

-> Command-line Arguments overrule environment variable settings.

-

-```

- --pf, --publishfile=VALUE

- the filename to configure the nodes to publish.

- Default: '/appdata/publishednodes.json'

- --tc, --telemetryconfigfile=VALUE

- the filename to configure the ingested telemetry

- Default: ''

- -s, --site=VALUE

- the site OPC Publisher is working in. if specified this domain is appended (delimited by a ':' to the 'ApplicationURI' property when telemetry is sent to IoTHub.

- The value must follow the syntactical rules of a

- DNS hostname.

- Default: not set

- --ic, --iotcentral

- OPC Publisher sends OPC UA data in IoTCentral

- compatible format (DisplayName of a node is used

- as key, this key is the Field name in IoTCentral)

- . you need to ensure that all DisplayName's are

- unique. (Auto enables fetch display name)

- Default: False

- --sw, --sessionconnectwait=VALUE

- specify the wait time in seconds publisher is

- trying to connect to disconnected endpoints and

- starts monitoring unmonitored items

- Min: 10

- Default: 10

- --mq, --monitoreditemqueuecapacity=VALUE

- specify how many notifications of monitored items

- can be stored in the internal queue, if the data

- can not be sent quick enough to IoTHub

- Min: 1024

- Default: 8192

- --di, --diagnosticsinterval=VALUE

- shows publisher diagnostic info at the specified

- interval in seconds (need log level info).

- -1 disables remote diagnostic log and diagnostic

- output

- 0 disables diagnostic output

- Default: 0

- --ns, --noshutdown=VALUE

- same as runforever.

- Default: False

- --rf, --runforever

- OPC Publisher can not be stopped by pressing a key on

- the console, but runs forever.

- Default: False

- --lf, --logfile=VALUE

- the filename of the logfile to use.

- Default: './<hostname>-publisher.log'

- --lt, --logflushtimespan=VALUE

- the timespan in seconds when the logfile should be

- flushed.

- Default: 00:00:30 sec

- --ll, --loglevel=VALUE

- the loglevel to use (allowed: fatal, error, warn,

- info, debug, verbose).

- Default: info

- --ih, --iothubprotocol=VALUE

- the protocol to use for communication with IoTHub (allowed values: Amqp, Http1, Amqp_WebSocket_Only,

- Amqp_Tcp_Only, Mqtt, Mqtt_WebSocket_Only, Mqtt_

- Tcp_Only) or IoT EdgeHub (allowed values: Mqtt_

- Tcp_Only, Amqp_Tcp_Only).

- Default for IoTHub: Mqtt_WebSocket_Only

- Default for IoT EdgeHub: Amqp_Tcp_Only

- --ms, --iothubmessagesize=VALUE

- the max size of a message which can be sent to

- IoTHub. When telemetry of this size is available

- it is sent.

- 0 enforces immediate send when telemetry is

- available

- Min: 0

- Max: 262144

- Default: 262144

- --si, --iothubsendinterval=VALUE

- the interval in seconds when telemetry should be

- sent to IoTHub. If 0, then only the

- iothubmessagesize parameter controls when

- telemetry is sent.

- Default: '10'

- --dc, --deviceconnectionstring=VALUE

- if publisher is not able to register itself with

- IoTHub, you can create a device with name <

- applicationname> manually and pass in the

- connectionstring of this device.

- Default: none

- -c, --connectionstring=VALUE

- the IoTHub owner connectionstring.

- Default: none

- --hb, --heartbeatinterval=VALUE

- the publisher is using this as default value in

- seconds for the heartbeat interval setting of

- nodes without

- a heartbeat interval setting.

- Default: 0

- --sf, --skipfirstevent=VALUE

- the publisher is using this as default value for

- the skip first event setting of nodes without

- a skip first event setting.

- Default: False

- --pn, --portnum=VALUE

- the server port of the publisher OPC server

- endpoint.

- Default: 62222

- --pa, --path=VALUE

- the enpoint URL path part of the publisher OPC

- server endpoint.

- Default: '/UA/Publisher'

- --lr, --ldsreginterval=VALUE

- the LDS(-ME) registration interval in ms. If 0,

- then the registration is disabled.

- Default: 0

- --ol, --opcmaxstringlen=VALUE

- the max length of a string opc can transmit/

- receive.

- Default: 131072

- --ot, --operationtimeout=VALUE

- the operation timeout of the publisher OPC UA

- client in ms.

- Default: 120000

- --oi, --opcsamplinginterval=VALUE

- the publisher is using this as default value in

- milliseconds to request the servers to sample

- the nodes with this interval

- this value might be revised by the OPC UA

- servers to a supported sampling interval.

- please check the OPC UA specification for

- details how this is handled by the OPC UA stack.

- a negative value sets the sampling interval

- to the publishing interval of the subscription

- this node is on.

- 0 configures the OPC UA server to sample in

- the highest possible resolution and should be

- taken with care.

- Default: 1000

- --op, --opcpublishinginterval=VALUE

- the publisher is using this as default value in

- milliseconds for the publishing interval setting

- of the subscriptions established to the OPC UA

- servers.

- please check the OPC UA specification for

- details how this is handled by the OPC UA stack.

- a value less than or equal zero lets the

- server revise the publishing interval.

- Default: 0

- --ct, --createsessiontimeout=VALUE

- specify the timeout in seconds used when creating

- a session to an endpoint. On unsuccessful

- connection attemps a backoff up to 5 times the

- specified timeout value is used.

- Min: 1

- Default: 10

- --ki, --keepaliveinterval=VALUE

- specify the interval in seconds the publisher is

- sending keep alive messages to the OPC servers

- on the endpoints it is connected to.

- Min: 2

- Default: 2

- --kt, --keepalivethreshold=VALUE

- specify the number of keep alive packets a server

- can miss, before the session is disconneced

- Min: 1

- Default: 5

- --aa, --autoaccept

- the OPC Publisher trusts all servers it is

- establishing a connection to.

- Default: False

- --tm, --trustmyself=VALUE

- same as trustowncert.

- Default: False

- --to, --trustowncert

- the OPC Publisher certificate is put into the trusted

- certificate store automatically.

- Default: False

- --fd, --fetchdisplayname=VALUE

- same as fetchname.

- Default: False

- --fn, --fetchname

- enable to read the display name of a published

- node from the server. this increases the

- runtime.

- Default: False

- --ss, --suppressedopcstatuscodes=VALUE

- specifies the OPC UA status codes for which no

- events should be generated.

- Default: BadNoCommunication,

- BadWaitingForInitialData

- --at, --appcertstoretype=VALUE

- the own application cert store type.

- (allowed values: Directory, X509Store)

- Default: 'Directory'

- --ap, --appcertstorepath=VALUE

- the path where the own application cert should be

- stored

- Default (depends on store type):

- X509Store: 'CurrentUser\UA_MachineDefault'

- Directory: 'pki/own'

- --tp, --trustedcertstorepath=VALUE

- the path of the trusted cert store

- Default: 'pki/trusted'

- --rp, --rejectedcertstorepath=VALUE

- the path of the rejected cert store

- Default 'pki/rejected'

- --ip, --issuercertstorepath=VALUE

- the path of the trusted issuer cert store

- Default 'pki/issuer'

- --csr

- show data to create a certificate signing request

- Default 'False'

- --ab, --applicationcertbase64=VALUE

- update/set this applications certificate with the

- certificate passed in as bas64 string

- --af, --applicationcertfile=VALUE

- update/set this applications certificate with the

- certificate file specified

- --pb, --privatekeybase64=VALUE

- initial provisioning of the application

- certificate (with a PEM or PFX fomat) requires a

- private key passed in as base64 string

- --pk, --privatekeyfile=VALUE

- initial provisioning of the application

- certificate (with a PEM or PFX fomat) requires a

- private key passed in as file

- --cp, --certpassword=VALUE

- the optional password for the PEM or PFX or the

- installed application certificate

- --tb, --addtrustedcertbase64=VALUE

- adds the certificate to the applications trusted

- cert store passed in as base64 string (multiple

- comma-separated strings supported)

- --tf, --addtrustedcertfile=VALUE

- adds the certificate file(s) to the applications

- trusted cert store passed in as base64 string (

- multiple comma-separated filenames supported)

- --ib, --addissuercertbase64=VALUE

- adds the specified issuer certificate to the

- applications trusted issuer cert store passed in

- as base64 string (multiple comma-separated strings supported)

- --if, --addissuercertfile=VALUE

- adds the specified issuer certificate file(s) to

- the applications trusted issuer cert store (

- multiple comma-separated filenames supported)

- --rb, --updatecrlbase64=VALUE

- update the CRL passed in as base64 string to the

- corresponding cert store (trusted or trusted

- issuer)

- --uc, --updatecrlfile=VALUE

- update the CRL passed in as file to the

- corresponding cert store (trusted or trusted

- issuer)

- --rc, --removecert=VALUE

- remove cert(s) with the given thumbprint(s) (

- multiple comma-separated thumbprints supported)

- --dt, --devicecertstoretype=VALUE

- the iothub device cert store type.

- (allowed values: Directory, X509Store)

- Default: X509Store

- --dp, --devicecertstorepath=VALUE

- the path of the iot device cert store

- Default Default (depends on store type):

- X509Store: 'My'

- Directory: 'CertificateStores/IoTHub'

- -i, --install

- register OPC Publisher with IoTHub and then exits.

- Default: False

- -h, --help

- show this message and exit

- --st, --opcstacktracemask=VALUE

- ignored.

- --sd, --shopfloordomain=VALUE

- same as site option

- The value must follow the syntactical rules of a

- DNS hostname.

- Default: not set

- --vc, --verboseconsole=VALUE

- ignored.

- --as, --autotrustservercerts=VALUE

- same as autoaccept

- Default: False

- --tt, --trustedcertstoretype=VALUE

- ignored.

- the trusted cert store always resides in a

- directory.

- --rt, --rejectedcertstoretype=VALUE

- ignored.

- the rejected cert store always resides in a

- directory.

- --it, --issuercertstoretype=VALUE

- ignored.

- the trusted issuer cert store always

- resides in a directory.

-```

-## OPC Publisher Command-line Arguments for Version 2.6 and above

-```

- --pf, --publishfile=VALUE

- the filename to configure the nodes to publish.

- If this Option is specified it puts OPC Publisher into stadalone mode.

- --lf, --logfile=VALUE

- the filename of the logfile to use.

- --ll. --loglevel=VALUE

- the log level to use (allowed: fatal, error,

- warn, info, debug, verbose).

- --me, --messageencoding=VALUE

- the messaging encoding for outgoing messages

- allowed values: Json, Uadp

- --mm, --messagingmode=VALUE

- the messaging mode for outgoing messages

- allowed values: PubSub, Samples

- --fm, --fullfeaturedmessage=VALUE

- the full featured mode for messages (all fields filled in).

- Default is 'true', for legacy compatibility use 'false'

- --aa, --autoaccept

- the publisher trusted all servers it is establishing a connection to

- --bs, --batchsize=VALUE

- the number of OPC UA data-change messages to be cached for batching.

- --si, --iothubsendinterval=VALUE

- the trigger batching interval in seconds.

- --ms, --iothubmessagesize=VALUE

- the maximum size of the (IoT D2C) message.

- --om, --maxoutgressmessages=VALUE

- the maximum size of the (IoT D2C) message egress buffer.

- --di, --diagnosticsinterval=VALUE

- shows publisher diagnostic info at the specified interval in seconds

- (need log level info). -1 disables remote diagnostic log and diagnostic output

- --lt, --logflugtimespan=VALUE

- the timespan in seconds when the logfile should be flushed.

- --ih, --iothubprotocol=VALUE

- protocol to use for communication with the hub.

- allowed values: AmqpOverTcp, AmqpOverWebsocket, MqttOverTcp,

- MqttOverWebsocket, Amqp, Mqtt, Tcp, Websocket, Any

- --hb, --heartbeatinterval=VALUE

- the publisher is using this as default value in seconds for the

- heartbeat interval setting of nodes without a heartbeat interval setting.

- --ot, --operationtimeout=VALUE

- the operation timeout of the publisher OPC UA client in ms.

- --ol, --opcmaxstringlen=VALUE

- the max length of a string opc can transmit/receive.

- --oi, --opcsamplinginterval=VALUE

- default value in milliseconds to request the servers to sample values

- --op, --opcpublishinginterval=VALUE

- default value in milliseconds for the publishing interval setting

- of the subscriptions against the OPC UA server.

- --ct, --createsessiontimeout=VALUE

- the interval in seconds the publisher is sending keep alive

- messages to the OPC servers on the endpoints it is connected to.

- --kt, --keepalivethresholt=VALUE

- specify the number of keep alive packets a server can miss,

- before the session is disconnected.

- --tm, --trustmyself

- the publisher certificate is put into the trusted store automatically.

- --at, --appcertstoretype=VALUE

- the own application cert store type (allowed: Directory, X509Store).

-```

-## OPC Publisher Command-line Arguments for Version 2.8.2 and above

-The following OPC Publisher configuration can be applied by Command Line Interface (CLI) options or as environment variable settings.

-The `Alternative` field, where present, refers to the CLI argument applicable in **standalone mode only**. When both environment variable and CLI argument are provided, the latest will overrule the env variable.

-```

- PublishedNodesFile=VALUE

- The file used to store the configuration of the nodes to be published

- along with the information to connect to the OPC UA server sources

- When this file is specified, or the default file is accessible by

- the module, OPC Publisher will start in standalone mode

- Alternative: --pf, --publishfile

- Mode: Standalone only

- Type: string - file name, optionally prefixed with the path

- Default: publishednodes.json

- site=VALUE

- The site OPC Publisher is assigned to

- Alternative: --s, --site

- Mode: Standalone and Orchestrated

- Type: string

- Default: <not set>

- LogFileName==VALUE

- The filename of the logfile to use

- Alternative: --lf, --logfile

- Mode: Standalone only

- Type: string - file name, optionally prefixed with the path

- Default: <not set>

- LogFileFlushTimeSpan=VALUE

- The time span in seconds when the logfile should be flushed in the storage

- Alternative: --lt, --logflushtimespan

- Mode: Standalone only

- Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

- Alternative argument type: integer in seconds

- Default: {00:00:30}

- loglevel=Value

- The level for logs to pe persisted in the logfile

- Alternative: --ll --loglevel

- Mode: Standalone only

- Type: string enum - Fatal, Error, Warning, Information, Debug, Verbose

- Default: info

- EdgeHubConnectionString=VALUE

- An IoT Edge Device or IoT Edge module connection string to use,

- when deployed as module in IoT Edge, the environment variable

- is already set as part of the container deployment

- Alternative: --dc, --deviceconnectionstring

- --ec, --edgehubconnectionstring

- Mode: Standalone and Orchestrated

- Type: connection string

- Default: <not set> <set by iotedge runtime>

- Transport=VALUE

- Protocol to use for upstream communication to edgeHub or IoTHub

- Alternative: --ih, --iothubprotocol

- Mode: Standalone and Orchestrated

- Type: string enum: Any, Amqp, Mqtt, AmqpOverTcp, AmqpOverWebsocket,

- MqttOverTcp, MqttOverWebsocket, Tcp, Websocket.

- Default: MqttOverTcp

- BypassCertVerification=VALUE

- Enables/disables bypass of certificate verification for upstream communication to edgeHub

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: boolean

- Default: false

-

- EnableMetrics=VALUE

- Enables/disables upstream metrics propagation

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: boolean

- Default: true

- DefaultPublishingInterval=VALUE

- Default value for the OPC UA publishing interval of OPC UA subscriptions

- created to an OPC UA server. This value is used when no explicit setting

- is configured.

- Alternative: --op, --opcpublishinginterval

- Mode: Standalone only

- Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

- Alternative argument type: integer in milliseconds

- Default: {00:00:01} (1000)

- DefaultSamplingInterval=VALUE

- Default value for the OPC UA sampling interval of nodes to publish.

- This value is used when no explicit setting is configured.

- Alternative: --oi, --opcsamplinginterval

- Mode: Standalone only

- Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

- Alternative argument type: integer in milliseconds

- Default: {00:00:01} (1000)

- DefaultQueueSize=VALUE

- Default setting value for the monitored item's queue size to be used when

- not explicitly specified in pn.json file

- Alternative: --mq, --monitoreditemqueuecapacity

- Mode: Standalone only

- Type: integer

- Default: 1

- DefaultHeartbeatInterval=VALUE

- Default value for the heartbeat interval setting of published nodes

- having no explicit setting for heartbeat interval.

- Alternative: --hb, --heartbeatinterval

- Mode: Standalone

- Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

- Alternative argument type: integer in seconds

- Default: {00:00:00} meaning heartbeat is disabled

- MessageEncoding=VALUE

- The messaging encoding for outgoing telemetry.

- Alternative: --me, --messageencoding

- Mode: Standalone only

- Type: string enum - Json, Uadp

- Default: Json

- MessagingMode=VALUE

- The messaging mode for outgoing telemetry.

- Alternative: --mm, --messagingmode

- Mode: Standalone only

- Type: string enum - PubSub, Samples

- Default: Samples

- FetchOpcNodeDisplayName=VALUE

- Fetches the DisplayName for the nodes to be published from

- the OPC UA Server when not explicitly set in the configuration.

- Note: This has high impact on OPC Publisher startup performance.

- Alternative: --fd, --fetchdisplayname

- Mode: Standalone only

- Type: boolean

- Default: false

- FullFeaturedMessage=VALUE

- The full featured mode for messages (all fields filled in the telemetry).

- Default is 'false' for legacy compatibility.

- Alternative: --fm, --fullfeaturedmessage

- Mode: Standalone only

- Type:boolean

- Default: false

- BatchSize=VALUE

- The number of incoming OPC UA data change messages to be cached for batching.

- When BatchSize is 1 or TriggerInterval is set to 0 batching is disabled.

- Alternative: --bs, --batchsize

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 50

- BatchTriggerInterval=VALUE

- The batching trigger interval.

- When BatchSize is 1 or TriggerInterval is set to 0 batching is disabled.

- Alternative: --si, --iothubsendinterval

- Mode: Standalone and Orchestrated

- Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

- Alternative argument type: integer in seconds

- Default: {00:00:10}

- IoTHubMaxMessageSize=VALUE

- The maximum size of the (IoT D2C) telemetry message.

- Alternative: --ms, --iothubmessagesize

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 0

- DiagnosticsInterval=VALUE

- Shows publisher diagnostic info at the specified interval in seconds

- (need log level info). -1 disables remote diagnostic log and

- diagnostic output

- Alternative: --di, --diagnosticsinterval

- Mode: Standalone only

- Environment variable type: time span string {[d.]hh:mm:ss[.fffffff]}

- Alternative argument type: integer in seconds

- Default: {00:00:60}

- LegacyCompatibility=VALUE

- Forces the Publisher to operate in 2.5 legacy mode, using

- `"application/opcua+uajson"` for `ContentType` on the IoT Hub

- Telemetry message.

- Alternative: --lc, --legacycompatibility

- Mode: Standalone only

- Type: boolean

- Default: false

- PublishedNodesSchemaFile=VALUE

- The validation schema filename for published nodes file.

- Alternative: --pfs, --publishfileschema

- Mode: Standalone only

- Type: string

- Default: <not set>

- MaxNodesPerDataSet=VALUE

- Maximum number of nodes within a DataSet/Subscription.

- When more nodes than this value are configured for a

- DataSetWriter, they will be added in a separate DataSet/Subscription.

- Alternative: N/A

- Mode: Standalone only

- Type: integer

- Default: 1000

- ApplicationName=VALUE

- OPC UA Client Application Config - Application name as per

- OPC UA definition. This is used for authentication during communication

- init handshake and as part of own certificate validation.

- Alternative: --an, --appname

- Mode: Standalone and Orchestrated

- Type: string

- Default: "Microsoft.Azure.IIoT"

- ApplicationUri=VALUE

- OPC UA Client Application Config - Application URI as per

- OPC UA definition.

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: string

- Default: $"urn:localhost:{ApplicationName}:microsoft:"

- ProductUri=VALUE

- OPC UA Client Application Config - Product URI as per

- OPC UA definition.

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: string

- Default: "https://www.github.com/Azure/Industrial-IoT"

- DefaultSessionTimeout=VALUE

- OPC UA Client Application Config - Session timeout in seconds

- as per OPC UA definition.

- Alternative: --ct --createsessiontimeout

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 0, meaning <not set>

- MinSubscriptionLifetime=VALUE

- OPC UA Client Application Config - Minimum subscription lifetime in seconds

- as per OPC UA definition.

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 0, <not set>

- KeepAliveInterval=VALUE

- OPC UA Client Application Config - Keep alive interval in seconds

- as per OPC UA definition.

- Alternative: --ki, --keepaliveinterval

- Mode: Standalone and Orchestrated

- Type: integer milliseconds

- Default: 10,000 (10s)

- MaxKeepAliveCount=VALUE

- OPC UA Client Application Config - Maximum count of keep alive events

- as per OPC UA definition.

- Alternative: --kt, --keepalivethreshold

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 50

- PkiRootPath=VALUE

- OPC UA Client Security Config - PKI certificate store root path

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: string

- Default: "pki"

- ApplicationCertificateStorePath=VALUE

- OPC UA Client Security Config - application's

- own certificate store path

- Alternative: --ap, --appcertstorepath

- Mode: Standalone and Orchestrated

- Type: string

- Default: $"{PkiRootPath}/own"

- ApplicationCertificateStoreType=VALUE

- OPC UA Client Security Config - application's

- own certificate store type

- Alternative: --at, --appcertstoretype

- Mode: Standalone and Orchestrated

- Type: enum string : Directory, X509Store

- Default: Directory

- ApplicationCertificateSubjectName=VALUE

- OPC UA Client Security Config - the subject name

- in the application's own certificate

- Alternative: --sn, --appcertsubjectname

- Mode: Standalone and Orchestrated

- Type: string

- Default: "CN=Microsoft.Azure.IIoT, C=DE, S=Bav, O=Microsoft, DC=localhost"

- TrustedIssuerCertificatesPath=VALUE

- OPC UA Client Security Config - trusted certificate issuer

- store path

- Alternative: --ip, --issuercertstorepath

- Mode: Standalone and Orchestrated

- Type: string

- Default: $"{PkiRootPath}/issuers"

- TrustedIssuerCertificatesType=VALUE

- OPC UA Client Security Config - trusted issuer certificates

- store type

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: enum string : Directory, X509Store

- Default: Directory

- TrustedPeerCertificatesPath=VALUE

- OPC UA Client Security Config - trusted peer certificates

- store path

- Alternative: --tp, --trustedcertstorepath

- Mode: Standalone and Orchestrated

- Type: string

- Default: $"{PkiRootPath}/trusted"

- TrustedPeerCertificatesType=VALUE

- OPC UA Client Security Config - trusted peer certificates

- store type

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: enum string : Directory, X509Store

- Default: Directory

- RejectedCertificateStorePath=VALUE

- OPC UA Client Security Config - rejected certificates

- store path

- Alternative: --rp, --rejectedcertstorepath

- Mode: Standalone and Orchestrated

- Type: string

- Default: $"{PkiRootPath}/rejected"

- RejectedCertificateStoreType=VALUE

- OPC UA Client Security Config - rejected certificates

- store type

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: enum string : Directory, X509Store

- Default: Directory

- AutoAcceptUntrustedCertificates=VALUE

- OPC UA Client Security Config - auto accept untrusted

- peer certificates

- Alternative: --aa, --autoaccept

- Mode: Standalone and Orchestrated

- Type: boolean

- Default: false

- RejectSha1SignedCertificates=VALUE

- OPC UA Client Security Config - reject deprecated Sha1

- signed certificates

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: boolean

- Default: false

- MinimumCertificateKeySize=VALUE

- OPC UA Client Security Config - minimum accepted

- certificates key size

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 1024

- AddAppCertToTrustedStore=VALUE

- OPC UA Client Security Config - automatically copy own

- certificate's public key to the trusted certificate store

- Alternative: --tm, --trustmyself

- Mode: Standalone and Orchestrated

- Type: boolean

- Default: true

- SecurityTokenLifetime=VALUE

- OPC UA Stack Transport Secure Channel - Security token lifetime in milliseconds

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: integer (milliseconds)

- Default: 3,600,000 (1h)

- ChannelLifetime=VALUE

- OPC UA Stack Transport Secure Channel - Channel lifetime in milliseconds

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: integer (milliseconds)

- Default: 300,000 (5 min)

- MaxBufferSize=VALUE

- OPC UA Stack Transport Secure Channel - Max buffer size

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 65,535 (64KB -1)

- MaxMessageSize=VALUE

- OPC UA Stack Transport Secure Channel - Max message size

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 4,194,304 (4 MB)

- MaxArrayLength=VALUE

- OPC UA Stack Transport Secure Channel - Max array length

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 65,535 (64KB - 1)

- MaxByteStringLength=VALUE

- OPC UA Stack Transport Secure Channel - Max byte string length

- Alternative: N/A

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 1,048,576 (1MB);

- OperationTimeout=VALUE

- OPC UA Stack Transport Secure Channel - OPC UA Service call

- operation timeout

- Alternative: --ot, --operationtimeout

- Mode: Standalone and Orchestrated

- Type: integer (milliseconds)

- Default: 120,000 (2 min)

- MaxStringLength=VALUE

- OPC UA Stack Transport Secure Channel - Maximum length of a string

- that can be send/received over the OPC UA Secure channel

- Alternative: --ol, --opcmaxstringlen

- Mode: Standalone and Orchestrated

- Type: integer

- Default: 130,816 (128KB - 256)

- RuntimeStateReporting=VALUE

- Enables reporting of OPC Publisher restarts.

- Alternative: --rs, --runtimestatereporting

- Mode: Standalone

- Type: boolean

- Default: false

- EnableRoutingInfo=VALUE

- Adds the routing info to telemetry messages. The name of the property is

- `$$RoutingInfo` and the value is the `DataSetWriterGroup` for that particular message.

- When the `DataSetWriterGroup` is not configured, the `$$RoutingInfo` property will

- not be added to the message even if this argument is set.

- Alternative: --ri, --enableroutinginfo

- Mode: Standalone

- Type: boolean

- Default: false

-```

-Further resources can be found in the GitHub repositories:

-> [IIoT Platform GitHub repository](https://github.com/Azure/iot-edge-opc-publisher)

-description: In this tutorial, you learn how to change the default values of the configuration.

-# Tutorial: Configure the Industrial IoT components

-The deployment script automatically configures all components to work with each other using default values. However, the settings of the default values can be changed to meet your requirements.

-> * Customize the configuration of the components

-Here are some of the more relevant customization settings for the components:

-* IoT Hub

- * Networking→Public access: Configure Internet access, for example, IP filters

- * Networking → Private endpoint connections: Create an endpoint that's not accessible

- through the Internet and can be consumed internally by other Azure services or on-premises devices (for example, through a VPN connection)

- * IoT Edge: Manage the configuration of the edge devices that are connected to the OPC

-UA servers

-* Cosmos DB

- * Replicate data globally: Configure data-redundancy

- * Firewall and virtual networks: Configure Internet and VNET access, and IP filters

- * Private endpoint connections: Create an endpoint that is not accessible through the

-Internet

-* Key Vault

- * Secrets: Manage platform settings

- * Access policies: Manage which applications and users may access the data in the Key

-Vault and which operations (for example, read, write, list, delete) they are allowed to perform on the network, firewall, VNET, and private endpoints

-* Microsoft Azure Active Directory (Azure AD)→App registrations

- * <APP_NAME>-web → Authentication: Manage reply URIs, which is the list of URIs that

-can be used as landing pages after authentication succeeds. The deployment script may be unable to configure this automatically under certain scenarios, such as lack of Azure AD admin rights. You may want to add or modify URIs when changing the hostname of the Web app, for example, the port number used by the localhost for debugging

-* App Service

- * Configuration: Manage the environment variables that control the services or UI

-* Virtual machine

- * Networking: Configure supported networks and firewall rules

- * Serial console: SSH access to get insights or for debugging, get the credentials from the

-output of deployment script or reset the password

-* IoT Hub → IoT Edge

- * Manage the identities of the IoT Edge devices that may access the hub, configure which modules are installed and which configuration they use, for example, encoding parameters for the OPC Publisher

-* IoT Hub → IoT Edge → \<DEVICE> → Set Modules → OpcPublisher (for standalone OPC Publisher operation only)

-## Configuration via Command-line Arguments for OPC Publisher 2.8.2 and above

-There are [several Command-line Arguments](reference-command-line-arguments.md#opc-publisher-command-line-arguments-for-version-282-and-above) that can be used to set global settings for OPC Publisher.

-Refer to the `mode` part in the command line description to check if a Command-line Argument is applicable to orchestrated or standalone mode.

-Now that you have learned how to change the default values of the configuration, you can

-> [Pull IIoT data into ADX](tutorial-industrial-iot-azure-data-explorer.md)

-> [Visualize and analyze the data using Time Series Insights](tutorial-visualize-data-time-series-insights.md)

-1. Select **Browse** and then search for `Microsoft.TSS`.

-### Static routes fix

-Every time EFLOW VM starts, the networking services recreates all routes, and any previously assigned priority could change. To work around this issue, you can assign the desired priority for each route every time the EFLOW VM starts. You can create a service that executes every time the VM starts and use the `route` command to set the desired route priorities.

-| VaultAlreadyExists | Your attempt to create a new key vault with the specified name has failed since the name is already in use. If you recently deleted a key vault with this name, it may still be in the soft deleted state. You can verify if it existis in soft-deleted state [here](./key-vault-recovery.md?tabs=azure-portal#list-recover-or-purge-a-soft-deleted-key-vault) |

-| ForbiddenByFirewall | Client address is not authorized and caller is not a trusted service. |

-| ConflictError | You're requesting multiple operations on same item. |

-| RegionNotSupported | Specified azure region is not supported for this resource. |

-| SkuNotSupported | Specified SKU type is not supported for this resource. |

-| ResourceNotFound | Specified azure resource is not found. |

-| ResourceGroupNotFound | Specified azure resource group is not found. |

-[Learn more](https://glasnostic.com/blog/announcing-glasnostic-for-azure-gateway-load-balancer)

-description: Restrict creating and using API connections in Azure Logic Apps.

-# Block connections created by connectors in Azure Logic Apps

-> To access Azure storage accounts behind firewalls by using HTTP requests and managed identities,

-> make sure that you also set up your storage account with the [exception that allows access by trusted Microsoft services](../connectors/connectors-create-api-azureblobstorage.md#access-blob-storage-in-same-region-with-managed-identities).

- WHERE jobid = $(job_execution_id)

- WHERE jobid = $(job_execution_id))

-> After your offer is published, you cannot change the pricing model. In addition, all plans for the same offer must share the same pricing model.

-1. Select either the **Monthly** or **Annual** check box, or both and then enter the price.

-1. In the **Monthly quantity included in base** box, enter the quantity (as an integer) of the dimension that's included each month for customers who pay the recurring monthly fee. To set an unlimited quantity, select the check box instead.

-1. In the **Annual quantity included in base** box, enter the quantity of the dimension (as an integer) that's included each month for customers who pay the recurring annual fee. To set an unlimited quantity, select the check box instead.

-1. To add another custom meter dimension, select the **Add another Dimension** link, and then repeat steps 1 through 7.

-2. If applicable, under **User limits**, specify the minimum and maximum number of users for this plan.

-3. Under **Billing term**, specify a monthly price, annual price, or both.

-| Software as a service (SaaS) | Monthly and annual | Yes | Flat rate, per user, usage-based. |

-| Dynamics 365 apps on Dataverse and Power Apps [2] | Monthly and annual | No | Per user |

-| Power BI visual [3] | Monthly and annual | No | Per user |

-[2] Dynamics 365 apps on Dataverse and Power Apps offers that you transact through Microsoft are automatically enabled for license management. See [ISV app license management for Dynamics 365 apps on Dataverse and Power Apps](isv-app-license.md).

-[3] Power BI visual offers that you transact through Microsoft are automatically enabled for license management. See [ISV app license management for Power BI visual offers](isv-app-license-power-bi-visual.md).

-SaaS subscriptions can be priced at a flat rate or per user on a monthly or annual basis. If you enable the **Sell through Microsoft** option for a SaaS offer, you have the following cost structure:

- - If your SaaS offer integrates with Microsoft Graph, then provide the Azure Active Directory (AAD) App ID used by your SaaS offer for the integration. Administrators can review access permissions required for the proper functioning of your SaaS offer as set on the AAD App ID and grant access if advanced admin permission is needed at deployment time.

- If you choose to sell your offer through Microsoft, then this is the same AAD App ID that you have registered to use on your landing page to get basic user information needed to complete customer subscription activation. For detailed guidance, see [Build the landing page for your transactable SaaS offer in the commercial marketplace](azure-ad-transactable-saas-landing-page.md).

- - ΓÇ£Contact meΓÇ¥ list-only offers.

- - The SaaS offer is linked to add-ins, but it does not integrate with Microsoft Graph and no AAD App ID is provided.

- - The SaaS offer is linked to add-ins, but AAD App ID provided for Microsoft Graph integration is shared across multiple SaaS offers.

-

-SaaS app offers that are sold through Microsoft support monthly or annual billing based on a flat fee, per user, or consumption charges using the [metered billing service](./partner-center-portal/saas-metered-billing.md). The commercial marketplace operates on an agency model, whereby publishers set prices, Microsoft bills customers, and Microsoft pays revenue to publishers while withholding an agency fee.

-A preview audience can access your offer prior to being published live in the online stores. They can see how your offer will look in the commercial marketplace and test the end-to-end functionality before you publish it live.

-You must associate a pricing model with each plan for the following offer types. Each of these offer types have different available pricing models:

-If your offer fails any of the listing, technical, or policy checks, or if you are not eligible to submit an offer of that type, we email a certification failure report to you.

-| [Lumen Technologies](https://www.ctl.io/microsoft-azure-peering-services/) |North America, Europe, Asia|

-| [NAP Africa](https://www.napafrica.net/technical/microsoft-azure-peering-service/) |Africa|

-| [CMC Networks](https://www.cmcnetworks.net/products/microsoft-azure-peering-services.html) |Africa|

-| [MainOne](https://www.mainone.net/connectivity-services/) |Africa|

-| [BICS](https://www.bics.com/services/capacity-solutions/cloud-connect/microsoft-azure-cloud-connect/) |Europe|

-| [Atman](https://www.atman.pl/en/atman-internet-maps/) |Europe|

-| [LINX](https://www.linx.net/services/microsoft-azure-peering/) |Europe|

-| [Converge ICT](https://www.convergeict.com/enterprise/microsoft-azure-peering-service-maps/) |Asia|

-will be installed as well. In particular, PostgreSQL versions 12-14 come with

-> For all values in this table, you must use the same values you used when deploying the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster on the Azure Stack Edge Pro device for this site. You did this as part of the steps in [Order and set up your Azure Stack Edge Pro device(s)](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices).

- | The IP address for the control plane interface on the access network. For 5G, this interface is the N2 interface, whereas for 4G, it's the S1-MME interface. |**N2 address (signaling)** (for 5G) or **S1-MME address** (for 4G).|

- | The IP address for the user plane interface on the access network. For 5G, this interface is the N3 interface, whereas for 4G, it's the S1-U interface. |N/A. You'll only need this value if you're using an ARM template to create the site.|

- | The network address of the access subnet in Classless Inter-Domain Routing (CIDR) notation. |**N2 subnet** and **N3 subnet** (for 5G), or **S1-MME subnet** and **S1-U subnet** (for 4G).|

- | The access subnet default gateway. |**N2 gateway** and **N3 gateway** (for 5G), or **S1-MME gateway** and **S1-U gateway** (for 4G).|

- |The name of the data network. |**Data network**|

- | The IP address for the user plane interface on the data network. For 5G, this interface is the N6 interface, whereas for 4G, it's the SGi interface. You identified the IP address for this interface in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |N/A. You'll only need this value if you're using an ARM template to create the site.|

- |The network address of the data subnet in CIDR notation. You identified this address in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |**N6/SGi subnet**|

- |The data subnet default gateway. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses) and it must match the value you used when deploying the AKS-HCI cluster. |**N6/SGi gateway**|

-If you want to provision SIMs as part of deploying your private mobile network, you must choose one of the following provisioning methods:

-You must then collect each of the values given in the following table for each SIM resource you want to provision.

- |Value |Field name in Azure portal | JSON file parameter name |

-SIM policies allow you to define different sets of policies and interoperability settings. Each SIM policy can be assigned to a different group of SIMs. This allows you to offer different quality of service (QoS) policy settings to different groups of SIMs on the same data network.

-Contact your trials engineer and ask them to register your Azure subscription for access to Azure Private 5G Core. If you do not already have a trials engineer and are interested in trialing Azure Private 5G Core, contact your Microsoft account team, or express your interest through the [partner registration form](https://aka.ms/privateMECMSP).

-Choose whether each site in the private mobile network should provide coverage for 5G or 4G user equipment (UEs). A single site cannot support 5G and 4G UEs simultaneously. If you're deploying multiple sites, you can choose to have some sites support 5G UEs and others support 4G UEs.

- If you decide to support both methods for a particular site, ensure that the IP address pools are of the same size and do not overlap.

-1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

- - **Location:** leave this field unchanged.

-*SIM policies* allow you to define different sets of policies and interoperability settings that can each be assigned to a group of SIMs. You'll need to assign a SIM policy to a SIM before the user equipment (UE) using that SIM can access the private mobile network. In this how-to-guide, you'll learn how to configure a SIM policy.

-1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

-1. If you want to assign this SIM policy to one or more existing provisioned SIMs, select **Next : Assign to SIMs**, and then select your chosen SIMs from the list that appears.

-1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

- :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/create-site-basics-tab.png" alt-text="Screenshot of the Azure portal showing the Basics configuration tab for a site resource.":::

- :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/create-site-packet-core-tab.png" alt-text="Screenshot of the Azure portal showing the Packet core configuration tab for a site resource.":::

- - Leave the **Version** field blank unless you've been instructed to do otherwise by your support representative.

- - Use the same value for both the **S1-MME gateway** and **S1-U gateway** fields (if this site will support 4G UEs).

-1. Use the information you collected in [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values) to fill out the fields in the **Attached data networks** section. Note that you can only connect the packet core instance to a single data network.

- :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/create-site-validation.png" alt-text="Screenshot of the Azure portal showing successful validation of configuration values for a site resource.":::

- :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/site-related-resources.png" alt-text="Screenshot of the Azure portal showing a resource group containing a site and its related resources." lightbox="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/site-related-resources.png":::

- | **Location** | Leave this field unchanged. |

- | **Control Plane Access Interface Name** | Enter the name of the interface that corresponds to port 5 on your Azure Stack Edge Pro device. |

- | **User Plane Access Interface Name** | Enter the name of the interface that corresponds to port 5 on your Azure Stack Edge Pro device. |

- | **User Plane Access Interface Ip Address** | Enter the IP address for the user plane interface on the access network. |

- | **User Plane Data Interface Name** | Enter the name of the interface that corresponds to port 6 on your Azure Stack Edge Pro device. |

- | **User Plane Data Interface Ip Address** | Enter the IP address for the user plane interface on the data network. |

- | **Core Network Technology** | Enter `5GC` for 5G, or `EPC` for 4G. |

- :::image type="content" source="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/site-related-resources.png" alt-text="Screenshot of the Azure portal showing a resource group containing a site and its related resources." lightbox="media/how-to-guide-deploy-a-private-mobile-network-azure-portal/site-related-resources.png":::

-|The service name. |*Allow-all-traffic* |

- |**SIM Resources** | If you want to provision SIMs, paste in the contents of the JSON file containing your SIM information. Otherwise, leave this field unchanged. |

- |**Control Plane Access Interface Name** | Enter the name of the interface that corresponds to port 5 on your Azure Stack Edge Pro device. |

- |**User Plane Access Interface Name** | Enter the name of the interface that corresponds to port 5 on your Azure Stack Edge Pro device. |

- |**User Plane Access Interface Ip Address** | Enter the IP address for the user plane interface on the access network. |

- |**User Plane Data Interface Name** | Enter the name of the interface that corresponds to port 6 on your Azure Stack Edge Pro device. |

- |**User Plane Data Interface Ip Address** | Enter the IP address for the user plane interface on the data network. |

- |**Core Network Technology** | Enter `5GC` for 5G, or `EPC` for 4G. |

- - One or more **SIM** resources representing physical SIMs or eSIMs (if you provisioned any).

-1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

- The configuration change can take a few minutes to finish before taking effect, and all omsagent pods in the cluster will restart. The restart is a rolling restart for all omsagent pods, not all restart at the same time. When the restarts are finished, a message is displayed that's similar to the following and includes the result: `configmap "container-azm-ms-agentconfig" created`.

-1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

-

-1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

- - If you select **Upload JSON file**, the **Upload SIM profile configurations** field will appear. Use this field to upload your chosen JSON file.

- - If you select **Add manually**, a new set of fields will appear under **Enter SIM profile configurations**. Fill out the first row of these fields with the correct settings for the first SIM you want to provision. If you've got more SIMs you want to provision, add the settings for each of these SIMs to a new row.

-1. If you want to use the default service and SIM policy, set **Do you wish to create a basic, default SIM policy and assign it these SIMs?** to **Yes**, and then enter the name of the data network into the **Data network name** field that appears.

- - One or more **SIM** resources (if you provisioned any).

- :::image type="content" source="media/pmn-deployment-resource-group.png" alt-text="Screenshot of the Azure portal showing a resource group containing Mobile Network, SIM, Service, SIM policy, Data Network, and Slice resources.":::

- Each SIM policy defines a set of policies and interoperability settings, which can each be assigned to a group of SIMs. You'll need to assign a SIM policy to a SIM before the UE using that SIM can access the private mobile network.

-*SIM policies* let you define different sets of policies and interoperability settings that can each be assigned to a group of SIMs. You'll need to assign a SIM to a SIM policy before the SIM can use the private mobile network.

-1. Group your SIMs according to the services they'll require. For each group, configure a SIM policy and assign it to the correct SIMs by carrying out the following procedures:

-description: This how-to guide shows how to provision SIMs using an Azure Resource Manager (ARM) template.

-# Provision SIMs for Azure Private 5G Core Preview - ARM template

-[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.mobilenetwork%2Fmobilenetwork-provision-sims%2Fazuredeploy.json)

-Use the information you collected in [Collect the required information for your SIMs](#collect-the-required-information-for-your-sims) to create an array containing properties for each of the SIMs you want to provision. The following is an example of an array containing properties for two SIMs.

- "simProfileName": "profile2",

-<!--

-Need to confirm whether the following link is correct.

-The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/mobilenetwork-provision-sims).

-The template defines one or more [**Microsoft.MobileNetwork/sims**](/azure/templates/microsoft.mobilenetwork/sims) resources, each of which represents a physical SIM or eSIM.

- [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.mobilenetwork%2Fmobilenetwork-provision-sims%2Fazuredeploy.json)

-1. Select or enter the following values, using the information you retrieved in [Prerequisites](#prerequisites). <!-- We should also add a screenshot of a filled out set of parameters. -->

- - **Location:** leave this field unchanged.

- - **SIM resources:** paste in the array you prepared in [Prepare an array for your SIMs](#prepare-an-array-for-your-sims).

-1. Confirm that your SIMs have been created in the resource group.

- :::image type="content" source="media/provision-sims-arm-template/sims-resource-group.png" alt-text="Screenshot of the Azure portal showing a resource group containing newly provisioned SIMs.":::

-## Next steps

-You'll need to assign a SIM policy to your SIMs to bring them into service.

-<!-- we may want to update the template to include SIM policies, or update the link below to reference the ARM template procedure rather than the portal -->

-# Provision SIMs for Azure Private 5G Core Preview - Azure portal

-*SIM* resources represent physical SIMs or eSIMs used by user equipment (UEs) served by the private mobile network. In this how-to guide, we'll provision new SIMs for an existing private mobile network. You can also choose to assign static IP addresses and a SIM policy to the SIMs you provision.

- Each IP address must come from the pool you assigned for static IP address allocation when creating the relevant site, as described in [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values). For more information, see [Allocate User Equipment (UE) IP address pools](complete-private-mobile-network-prerequisites.md#allocate-user-equipment-ue-ip-address-pools).

- If you're assigning a static IP address to a SIM, you'll also need the following information.

- - The SIM policy to assign to the SIM. You won't be able to set a static IP address for a SIM without also assigning a SIM policy.

- - The name of the data network the SIM will use.

- - The site at which the SIM will use this static IP address.

-Prepare the JSON file using the information you collected for your SIMs in [Collect the required information for your SIMs](#collect-the-required-information-for-your-sims). This example file shows the required format. It contains the parameters required to provision two SIMs (`SIM1` and `SIM2`).

- "deviceType": "Cellphone"

- "simProfileName": "profile2",

- "deviceType": "Sensor"

-1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

-1. Select **Add SIMs**.

- :::image type="content" source="media/provision-sims-azure-portal/add-sims.png" alt-text="Screenshot of the Azure portal showing the Add SIMs button on a Mobile Network resource":::

-1. In **Add SIMs** on the right, use the information you collected in [Collect the required information for your SIMs](#collect-the-required-information-for-your-sims) to fill out the fields for one of the SIMs you want to provision.

-1. The Azure portal will display the resource group containing your private mobile network. Select the **Mobile Network** resource.

-1. In the resource menu, select **SIMs**.

-## Assign static IP addresses

-In this step, you'll assign static IP addresses to your SIMs. You can skip this step if you don't want to assign any static IP addresses.

-1. Search for and select the **Mobile Network** resource representing the private mobile network containing your SIMs.

- :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal. It shows the results of a search for a Mobile Network resource.":::

-1. In the resource menu, select **SIMs**.

-1. You'll see a list of provisioned SIMs in the private mobile network. Select each SIM to which you want to assign a static IP address, and then select **Assign Static IPs**.

- :::image type="content" source="media/provision-sims-azure-portal/assign-static-ips.png" alt-text="Screenshot of the Azure portal showing a list of provisioned SIMs. Selected SIMs and the Assign Static I Ps button are highlighted.":::

-1. In **Assign static IP configurations** on the right, run the following steps for each SIM in turn. If your private mobile network has multiple sites and you want to assign a different static IP address for each site to the same SIM, you'll need to repeat these steps on the same SIM for each IP address.

- 1. Set **SIM name** your chosen SIM.

- 1. Set **SIM policy** to the SIM policy you want to assign to this SIM.

- 1. Set **Slice** to **slice-1**.

- 1. Set **Data network name** to the name of the data network this SIM will use.

- 1. Set **Site** to the site at which the SIM will use this static IP address.

- 1. Set **Static IP** to your chosen IP address.

- 1. Select **Save static IP configuration**. The SIM will then appear in the list under **Number of pending changes**.

- :::image type="content" source="media/provision-sims-azure-portal/assign-static-ip-configurations.png" alt-text="Screenshot of the Azure portal showing the Assign static I P configurations screen.":::

-1. Once you have assigned static IP addresses to all of your chosen SIMs, select **Assign static IP configurations**.

-1. The Azure portal will now begin deploying the configuration change. When the deployment is complete, select **Go to resource** (if you have assigned a static IP address to a single SIM) or **Go to resource group** (if you have assigned static IP addresses to multiple SIMs).

- - If you assigned a static IP address to a single SIM, you'll be taken to that SIM resource. Check the **SIM policy** field in the **Management** section and the list under the **Static IP Configuration** section to confirm that the correct SIM policy and static IP address have been assigned successfully.

- - If you assigned a SIM policy to multiple SIMs, you'll be taken to the resource group containing your private mobile network. Select the **Mobile Network** resource, and then select **SIMs** in the resource menu. Check the **SIM policy** column in the SIMs list to confirm the correct SIM policy has been assigned to your chosen SIMs. You can then select an individual SIM and check the **Static IP Configuration** section to confirm that the correct static IP address has been assigned to that SIM.

-## Assign SIM policies

-In this step, you'll assign SIM policies to your SIMs. SIMs need an assigned SIM policy before they can use your private mobile network. You can skip this step and come back to it later if you don't want the SIMs to be able to access the private mobile network straight away. You can also skip this step for any SIMs to which you've assigned a static IP address, as these SIMs will already have an assigned SIM policy.

-1. Search for and select the **Mobile Network** resource representing the private mobile network containing your SIMs.

- :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal. It shows the results of a search for a Mobile Network resource.":::

-1. In the resource menu, select **SIMs**.

-1. You'll see a list of provisioned SIMs in the private mobile network. For each SIM policy you want to assign to one or more SIMs, do the following:

- 1. Tick the checkbox next to the name of each SIM to which you want to assign the SIM policy.

- 1. Select **Assign SIM policy**.

- 1. In **Assign SIM policy** on the right, select your chosen SIM policy from the **SIM policy** drop-down menu.

- 1. Select **Assign SIM policy**.

-

- :::image type="content" source="media/provision-sims-azure-portal/assign-sim-policy.png" alt-text="Screenshot of the Azure portal. It shows a list of provisioned SIMs and fields to assign a SIM policy." lightbox="media/provision-sims-azure-portal/assign-sim-policy.png":::

-1. The Azure portal will now begin deploying the configuration change. When the deployment is complete, select **Go to resource** (if you have assigned a SIM policy to a single SIM) or **Go to resource group** (if you have assigned a SIM policy to multiple SIMs).

- - If you assigned a SIM policy to a single SIM, you'll be taken to that SIM resource. Check the **SIM policy** field in the **Management** section to confirm that the correct SIM policy has been assigned successfully.

- - If you assigned a SIM policy to multiple SIMs, you'll be taken to the resource group containing your private mobile network. Select the **Mobile Network** resource, and then select **SIMs** in the resource menu. Check the **SIM policy** column in the SIMs list to confirm the correct SIM policy has been assigned to your chosen SIMs.

-1. Repeat this step for any other SIM policies you want to assign to SIMs.

-1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

-1. In the **Resource** menu, select **Add SIMs**.

- :::image type="content" source="media/provision-sims-azure-portal/add-sims.png" alt-text="Screenshot of the Azure portal showing the Add SIMs button on a Mobile Network resource":::

-1. The Azure portal will now begin deploying the SIMs. When the deployment is complete, select **Go to resource group**.

- :::image type="content" source="media/provision-sims-azure-portal/multiple-sim-resource-deployment.png" alt-text="Screenshot of the Azure portal showing a completed deployment of SIM resources through a J S O N file and the Go to resource button.":::

-1. In the **Resource group** that appears, select the **Mobile Network** resource representing your private mobile network.

-1. In the **Resource** menu, select **SIMs**.

- :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/sims-resource-menu-option.png" alt-text="Screenshot of the Azure portal. The SIMs option in the resource menu for a private mobile network is highlighted.":::

-1. Your new **SIM1** and **SIM2** SIM resources are shown in the list.

- :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/sims-list.png" alt-text="Screenshot of the Azure portal. It shows the SIMs currently provisioned for the private mobile network." lightbox="media/tutorial-create-example-set-of-policy-control-configuration/sims-list.png":::

- :::image type="content" source="media/tutorial-create-example-set-of-policy-control-configuration/sim-with-sim-policy.png" alt-text="Screenshot of the Azure portal showing a SIM resource. The SIM policy field is highlighted in the Management section." lightbox="media/tutorial-create-example-set-of-policy-control-configuration/sim-with-sim-policy.png":::

-1. Search for and select the Mobile Network resource representing your private mobile network.

-1. In the **Resource** menu, select **SIMs**.

-1. In the **Resource** menu, select **SIMs**.

-1. Tick the checkboxes next to **SIM1** and **SIM2**, and then select **Delete** from the **Command** bar.

-1. Select **Delete** to confirm your choice.

-1. Once the SIMs have been deleted, select **SIM policies** from the **Resource** menu.

-## Upgrade the packet core instance

-Carry out the following steps to upgrade the packet core instance.

-1. Sign in to the Azure portal at [https://aka.ms/AP5GCPortal](https://aka.ms/AP5GCPortal).

-1. Select the site containing the packet core instance you want to upgrade.

-1. Under the **Network function** heading, select the name of the packet core control plane resource shown next to **Packet Core**.

-1. Under **Upgrade packet core version**, fill out the **New version** field with the string for the new software version provided to you by your trials engineer.

-## Sampling within a file

-Get-AzRouteServerPeerAdvertisedRoute @routeserver

-$routeserver = @{

- AllowBranchToBranchTraffic

-Get-AzRouteServerPeerLearnedRoute @routeserver

-$peer = @{

-Remove-AzRouteServerPeer @peer

-# Azure Route Server FAQ

-This tutorial shows you how to deploy an Azure Route Server into a virtual network and establish a BGP peering connection with a Quagga network virtual appliance. You'll deploy a virtual network with five subnets. One subnet will be dedicated to the Azure Route Server and another subnet dedicated to the Quagga NVA. The Quagga NVA will be configured to exchange routes with the Route Server. Lastly, you'll test to make sure routes are properly exchanged on the Azure Route Server and Quagga NVA.

-> * Create virtual network with five subnets

-> * Deploy virtual machine running Quagga

-You'll need a virtual network to deploy both the Azure Route Server and the Quagga NVA into. Each deployment will have its own dedicated subnet.

-1. On the top left-hand side of the screen, select **Create a resource** and search for **Virtual Network**. Then select **Create**.

-1. On the *Basics* tab of *Create a virtual network* enter or select the following information then select **Next : IP Addresses >**:

- | -- | -- |

- | Subscription | Select the subscription for this deployment. |

- | Resource group | Select an existing or create a new resource group for this deployment. |

- | Name | Enter a name for the virtual network. This tutorial will use *myVirtualNetwork*.

- | Region | Select the region for which this virtual network will be deployed in. This tutorial will use *West US*.

-1. On the **IP Addresses** tab, configure the *virtual network address space* to **10.1.0.0/16**. Then configure the following five subnets:

- | GatewaySubnet | 10.1.5.0/24 |

-1. Go to https://aka.ms/routeserver.

-1. Select **+ Create new route server**.

- :::image type="content" source="./media/quickstart-configure-route-server-portal/route-server-landing-page.png" alt-text="Screenshot of Route Server landing page.":::

-1. On the **Create a Route Server** page, enter, or select the following information:

- | Subscription | Select the same subscription the virtual was created in the previous section. |

- | Resource group | Select the existing resource group *myRouteServerRG*. |

- | Name | Enter the Route Server name *myRouteServer*. |

- | Region | Select the **West US** region. |

- | Virtual Network | Select the *myVirtualNetwork* virtual network. |

- | Subnet | Select the *RouteServerSubnet (10.1.0.0/25)* created previously. |

- | Public IP address | Create a new or selecting an existing Standard public IP address to use with the Route Server. This IP address ensures connectivity to the backend service that manages the Route Server configuration. |

-To configure the Quagga network virtual appliance, you will need to deploy a Linux virtual machine.

-1. From the Azure portal, select **+ Create a resource > Compute > Virtual machine**. Then select **Create**.

- :::image type="content" source="./media/tutorial-configure-route-server-with-quagga/create-virtual-machine.png" alt-text="Screenshot of creating new virtual machine page.":::

-1. On the *Basics* tab, enter or select the following information:

- | Subscription | Select the same subscription as the virtual network deployed previously. |

- | Resource group | Select the existing resource group *myRouteServerRG*. |

- | Virtual machine name | Enter the name **Quagga**. |

- | Region | Select the **West US** region. |

- | Image | Select **Ubuntu 18.04 LTS - Gen 1**. |

- | Authentication type | Select **Password** |

- | Password | Enter and confirm the password of your choosing. |

- | Virtual Network | Select **myVirtualNetwork**. |

- | NIC network security group | Leave as default. **Basic**. |

- | Public inbound ports | Leave as default. **Allow selected ports**. |

- | Select inbound ports | Leaves as default. **SSH (22)**. |

-1. Once the VM has deployed, go to the networking settings of the Quagga VM and select the network interface.

-1. Select **IP configuration** under *Settings* and then select **ipconfig1**.

- :::image type="content" source="./media/tutorial-configure-route-server-with-quagga/quagga-ip-configuration.png" alt-text="Screenshot of IP configuration page of the Quagga VM.":::

-1. Change the assignment from *Dynamic* to **Static** and then change the IP address from *10.1.4.4* to **10.1.4.10**. This IP is used in this [script](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/route-server-quagga/scripts/quaggadeploy.sh) which will be run in a later step. If you want to use a different IP address ensure to update the IP in the script. Select **Save** to update the IP configuration of the VM.

-1. Using [Putty](https://www.putty.org/) connect to the Quagga VM using the public IP address and credential used to create the VM.

-1. Once logged in, enter `sudo su` to switch to super user to avoid errors running the script. Copy this [script](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/route-server-quagga/scripts/quaggadeploy.sh) and paste it into the Putty session. The script will configure the virtual machine with Quagga along with other network settings. Update the script to suit your network environment before running it on the virtual machine. It will take a few minutes for the script to complete the setup.

-1. Select **Peers** under *Settings*. Then select **+ Add** to add a new peer.

-1. On the *Add Peer* page, enter the following information, and then select **Add** to save the configuration:

- | Name | Enter a name to identify this peer. **Quagga**. |

- | ASN | Enter the ASN number for the Quagga NVA. **65001** is the ASN defined in the script. |

- | IPv4 Address | Enter the private IP of the Quagga NVA virtual machine. |

-1. The Peers page should look like this once you add a peer:

-1. To check the routes learned by the Route Server use this command:

-1. To check the routes learned by the Quagga NVA enter `vtysh` and then enter `show ip bgp`. Output should look like the following:

-If you no longer need the Route Server and all associating resources, you can delete the **myRouteServerRG** resource group.

-> [Troubleshoot Route Server](troubleshoot-route-server.md)

-description: This article walks you through a Microsoft Sentinel level 400 training to help you skill up on Microsoft Sentinel. The training includes 21 modules that contain relevant product documentation, blog posts and other resources. Make sure to check the most recent links for the documentation.

-This article walks you through a Microsoft Sentinel level 400 training to help you skill up on Microsoft Sentinel. The training includes 21 modules that contain relevant product documentation, blog posts and other resources. Make sure to check the most recent links for the documentation.

-The modules listed below are split into five parts following the life cycle of a Security Operation Center (SOC):

-[Part 2: Architecting & Deploying](#part-2-architecting--deploying)

-[Part 3: Creating Content](#part-3-creating-content)

-This Skill-up training is based on the [Microsoft Sentinel Ninja training](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/become-a-microsoft-sentinel-ninja-the-complete-level-400/ba-p/1246310) and is a level 400 training. If you don't want to go as deep, or have a specific issue, other resources might be more suitable:

-* While extensive, the Skill-up training has to follow a script, and can't expand on every topic. Read the referenced documentation for details on every article.

-* You can now certify with the new certification [SC-200: Microsoft Security Operations Analyst](/learn/certifications/exams/sc-200), which covers Microsoft Sentinel. You may also want to consider the [SC-900: Microsoft Security, Compliance, and Identity Fundamentals](/learn/certifications/exams/sc-900) or the [AZ-500: Microsoft Azure Security Technologies](/learn/certifications/exams/az-500), for a broader, higher level view of the Microsoft Security suite.

-* Are you already skilled-up on Microsoft Sentinel? Just keep track of [what's new](whats-new.md) or join the [Private Preview](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u) program for an earlier glimpse.

-* Do you have a feature idea and do you want to share with us? Let us know on the [Microsoft Sentinel user voice page](https://feedback.azure.com/d365community/forum/37638d17-0625-ec11-b6e6-000d3a4f07b8).

-* Premier customer? You might want the on-site (or remote) four-day _Microsoft Sentinel Fundamentals Workshop_. Contact your Customer Success Account Manager for more details.

-* Do you have a specific issue? Ask (or answer others) on the [Microsoft Sentinel Tech Community](https://techcommunity.microsoft.com/t5/microsoft-sentinel/bd-p/MicrosoftSentinel). As a last resort, send an e-mail to <MicrosoftSentinel@microsoft.com>.

-Microsoft Sentinel is a **scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution**. Microsoft Sentinel delivers security analytics and threat intelligence across the enterprise. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response. [Read more.](overview.md)

-If you want to get an initial overview of Microsoft Sentinel's technical capabilities, the [latest Ignite presentation](https://www.youtube.com/watch?v=kGctnb4ddAE) is a good starting point. You might also find the [Quick Start Guide to Microsoft Sentinel](https://azure.microsoft.com/resources/quick-start-guide-to-azure-sentinel/) useful (requires registration). A more detailed overview can be found in this webinar: [MP4](https://1drv.ms/v/s%21AnEPjr8tHcNmggMkcVweWOqoxuN9), [YouTube](https://youtu.be/7An7BB-CcQI), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmgjrN_zHpzbnfX_mX).

-Lastly, do you want to try it yourself? The Microsoft Sentinel All-In-One Accelerator ([blog](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-all-in-one-accelerator/ba-p/1807933), [YouTube](https://youtu.be/JB73TuX9DVs), [MP4](https://aka.ms/AzSentinel_04FEB2021_MP4), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmhjw41XZvVSCSNIuX)) presents an easy way to get you started. To learn how to start yourself, review the [onboarding documentation](quickstart-onboard.md), or watch [Insight's Sentinel setup and configuration video](https://www.youtube.com/watch?v=Cyd16wVwxZc).

-#### Learn from users

-Thousands of organizations and service providers are using Microsoft Sentinel. As usual with security products, most of them don't go public about it. Still, there are some.

-* You can find [public customer use cases here](https://customers.microsoft.com/en-us/home)

-* [Insight](https://www.insightcdct.com/) released a use case about [an NBA team adapting Sentinel](https://www.insightcdct.com/Resources/Case-Studies/Case-Studies/NBA-Team-Adopts-Azure-Sentinel-for-a-Modern-Securi).

-* Stuart Gregg, Security Operations Manager @ ASOS, posted a much more detailed [blog post from Microsoft Sentinel's experience, focusing on hunting](https://medium.com/@stuart.gregg/proactive-phishing-with-azure-sentinel-part-1-b570fff3113).

-#### Learn from Analysts

-* [Microsoft Sentinel is a Leader placement in Forrester Wave.](https://www.microsoft.com/security/blog/2020/12/01/azure-sentinel-achieves-a-leader-placement-in-forrester-wave-with-top-ranking-in-strategy/)

-* [Microsoft named a Visionary in the 2021 Gartner Magic Quadrant for SIEM for Microsoft Sentinel.](https://www.microsoft.com/security/blog/2021/07/08/microsoft-named-a-visionary-in-the-2021-gartner-magic-quadrant-for-siem-for-azure-sentinel/)

-Many users use Microsoft Sentinel as their primary SIEM. Most of the modules in this course cover this use case. In this module, we present a few extra ways to use Microsoft Sentinel.

-Use Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender in tandem to protect your Microsoft workloads, including Windows, Azure, and Office:

-* Read [The Azure Security compass](https://aka.ms/azuresecuritycompass) to understand Microsoft's blueprint for your security operations.

-* Read and watch how such a setup helps detect and respond to a WebShell attack: [Blog](https://techcommunity.microsoft.com/t5/azure-sentinel/analysing-web-shell-attacks-with-azure-defender-data-in-azure/ba-p/1724130), [Video demo](https://techcommunity.microsoft.com/t5/video-hub/webshell-attack-deep-dive/m-p/1698964).

-* Watch the webinar: [Better Together | OT and IoT Attack Detection, Investigation and Response](https://youtu.be/S8DlZmzYO2s).

-Either for a transition period or a longer term, if you're using Microsoft Sentinel for your cloud workloads, you may be using Microsoft Sentinel alongside your existing SIEM. You might also be using both with a ticketing system such as Service Now.

-For more information on migrating from another SIEM to Microsoft Sentinel, watch the migration webinar: [MP4](https://aka.ms/AzSentinel_DetectionRules_19FEB21_MP4), [YouTube](https://youtu.be/njXK1h9lfR4), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmhlsYDm99KLbNWlq5).

-There are three common scenarios for side by side deployment:

-* If you have a ticketing system in your SOC, a best practice is to send alerts or incidents from both SIEM systems to a ticketing system such as Service Now. An example is using [Microsoft Sentinel Incident Bi-directional sync with ServiceNow](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-incident-bi-directional-sync-with-servicenow/ba-p/1667771) or [sending alerts enriched with supporting events from Microsoft Sentinel to third-party SIEMs](https://techcommunity.microsoft.com/t5/azure-sentinel/sending-alerts-enriched-with-supporting-events-from-azure/ba-p/1456976).

-* At least initially, many users send alerts from Microsoft Sentinel to your on-premises SIEM. Read on how to do it in [Sending alerts enriched with supporting events from Microsoft Sentinel to third-party SIEMs](https://techcommunity.microsoft.com/t5/azure-sentinel/sending-alerts-enriched-with-supporting-events-from-azure/ba-p/1456976).

-* Over time, as Microsoft Sentinel covers more workloads, it's typical to reverse that and send alerts from your on-premises SIEM to Microsoft Sentinel. To do that:

- * With Splunk, read [Send data and notable events from Splunk to Microsoft Sentinel using the Microsoft Sentinel Splunk ....](https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-export-data-from-splunk-to-azure-sentinel/ba-p/1891237)

- * With QRadar read [Sending QRadar offenses to Microsoft Sentinel](https://techcommunity.microsoft.com/t5/azure-sentinel/migrating-qradar-offenses-to-azure-sentinel/ba-p/2102043)

- * For ArcSight, use [CEF Forwarding](https://community.microfocus.com/t5/Logger-Forwarding-Connectors/ArcSight-Forwarding-Connector-Configuration-Guide/ta-p/1583918).

-You can also send the alerts from Microsoft Sentinel to your third-party SIEM or ticketing system using the [Graph Security API](/graph/security-integration), which is simpler, but wouldn't enable sending other data.

-Since it eliminates the setup cost and is location agnostics, Microsoft Sentinel is a popular choice for providing SIEM-as-a-service. You can find a [list of MISA (Microsoft Intelligent Security Association) member managed security service providers (MSSPs) using Microsoft Sentinel](https://www.microsoft.com/security/blog/2020/07/14/microsoft-intelligent-security-association-managed-security-service-providers/). Many other MSSPs, especially regional and smaller ones, use Microsoft Sentinel but aren't MISA members.

-To start your journey as an MSSP, you should read the [Microsoft Sentinel Technical Playbooks for MSSPs](https://aka.ms/azsentinelmssp). More information about MSSP support is included in the next module, cloud architecture and multi-tenant support.

-## Part 2: Architecting & Deploying

-While the previous section offers options to start using Microsoft Sentinel in a matter of minutes, before you start a production deployment, you need to plan. This section walks you through the areas that you need to consider when architecting your solution, and provides guidelines on how to implement your design:

-* Threat Intelligence acquisition

-A Microsoft Sentinel instance is called a workspace. The workspace is the same as a Log Analytics workspace and supports any Log Analytics capability. You can think of Sentinel as a solution that adds SIEM features on top of a Log Analytics workspace.

-Multiple workspaces are often necessary and can act together as a single Microsoft Sentinel system. A special use case is providing service using Microsoft Sentinel, for example, by an **MSSP** (Managed Security Service Provider) or by a **Global SOC** in a large organization.

-To learn more about using multiple workspaces as one Microsoft Sentinel system, read [Extend Microsoft Sentinel across workspaces and tenants](extend-sentinel-across-workspaces-tenants.md) or watch the Webinar: [MP4](https://1drv.ms/v/s!AnEPjr8tHcNmgkqH7MASAKIg8ql8), [YouTube](https://youtu.be/hwahlwgJPnE), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmgkkYuxOITkGSI7x8).

-There are a few specific areas that require your consideration when using multiple workspaces:

-* An important driver for using multiple workspaces is **data residency**. Read more about [Microsoft Sentinel data residency](quickstart-onboard.md).

-* To deploy Microsoft Sentinel and manage content efficiently across multiple workspaces; you would like to manage Sentinel as code using **CI/CD technology**. A recommended best practice for Microsoft Sentinel is to enable continuous deployment:

- * Read [Enable Continuous Deployment Natively with Microsoft Sentinel Repositories!](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/enable-continuous-deployment-natively-with-microsoft-sentinel/ba-p/2929413)

-* When managing multiple workspaces as an MSSP, you may want to [protect the MSSPΓÇÖs Intellectual Property in Microsoft Sentinel](mssp-protect-intellectual-property.md).

-The [Microsoft Sentinel Technical Playbook for MSSPs](https://aka.ms/azsentinelmssp) provides detailed guidelines for many of those topics, and is useful also for large organizations, not just to MSSPs.

-### Module 4: Data Collection

-The foundation of a SIEM is collecting telemetry: events, alerts, and contextual enrichment information such as Threat Intelligence, vulnerability data, and asset information. You can find a list of sources you can connect here:

-* [Microsoft Sentinel data connectors](connect-data-sources.md)

-* [Find your Microsoft Sentinel data connector](data-connectors-reference.md) for seeing all the supported and out-of-the-box data connectors. You'll find links to generic deployment procedures, and extra steps required for specific connectors.

-* Data Collection Scenarios: Learn about collection methods such as [Logstash/CEF/WEF](connect-logstash.md). Other common scenarios are permissions restriction to tables, log filtering, collecting logs from AWS or GCP, O365 raw logs etc. All can be found in this webinar: [YouTube](https://www.youtube.com/watch?v=FStpHl0NRM8), [MP4](https://aka.ms/AS_LogCollectionScenarios_V3.0_18MAR2021_MP4), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmhx-_hfIf0Ng3aM_G).

-The first piece of information you'll see for each connector is its **data ingestion method**. The method that appears there will be a link to one of the following generic deployment procedures, which contain most of the information you'll need to connect your data sources to Microsoft Sentinel:

-|Data ingestion method | Linked article with instructions |

-| Syslog | [Collect data from Linux-based sources using Syslog](connect-syslog.md) |

-| Custom logs | [ Collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent](connect-custom-logs.md) |

-If your source isn't available, you can [create a custom connector](create-custom-connector.md). Custom connectors use the ingestion API and therefore are similar to direct sources. Custom connectors are most often implemented using Logic Apps, offering a codeless option, or Azure Functions.

-While 'how many workspaces and which ones to use' is the first architecture question to ask when configuring Sentinel, there are other log management architectural decisions to consider:

-* Where and how long to retain data

-* How to best manage access to data and secure it

-#### Ingest, Archive, Search, and Restore Data within Microsoft Sentinel

-Watch the webinar: Manage Your Log Lifecycle with New Methods for Ingestion, Archival, Search, and Restoration, [here](https://www.youtube.com/watch?v=LgGpSJxUGoc&ab_channel=MicrosoftSecurityCommunity).

-* **Basic ingestion tier**: new pricing tier for Azure Log Analytics that allows for logs to be ingested at a lower cost. This data is only retained in the workspace for eight days total.

-* **Archive tier**: Azure Log Analytics has expanded its retention capability from two years to seven years. With the new tier, it will allow data to be retained up to seven years in a low-cost archived state.

-* **Search jobs**: search tasks that run limited KQL in order to find and return all relevant logs to what is searched. These jobs search data across the analytics tier, basic tier. and archived data.

-* **Data restoration**: new feature that allows users to pick a data table and a time range in order to restore data to the workspace via restore table.

-Learn more about these new features in [this article](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingest-archive-search-and-restore-data-in-microsoft-sentinel/ba-p/3195126).

-#### Alternative retention options outside of the Microsoft Sentinel platform

-If you want to retain data for _more than two years_, or _reduce the retention cost_, you can consider using Azure Data Explorer for long-term retention of Microsoft Sentinel logs: [Webinar Slides](https://onedrive.live.com/?authkey=%21AGe3Zue4W0xYo4s&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21963&parId=66C31D2DBF8E0F71%21954&o=OneUp), [Webinar Recording](https://www.youtube.com/watch?v=UO8zeTxgeVw&ab_channel=MicrosoftSecurityCommunity), [Blog](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-azure-data-explorer-for-long-term-retention-of-microsoft/ba-p/1883947).

-Need more depth? Watch the _Improving the Breadth and Coverage of Threat Hunting with ADX Support, More Entity Types, and Updated MITRE Integration_ webinar [here](https://www.youtube.com/watch?v=5coYjlw2Qqs&ab_channel=MicrosoftSecurityCommunity).

-If you prefer another long-term retention solution, [export from Microsoft Sentinel / Log Analytics to Azure Storage and Event Hubs](/cli/azure/monitor/log-analytics/workspace/data-export) or [move Logs to Long-Term Storage using Logic Apps](../azure-monitor/logs/logs-export-logic-app.md). The latter advantage is that it can export historical data.

-Lastly, you can set fine-grained retention periods using [table-level retention Settings](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/azure-log-analytics-data-retention-by-type-in-real-life/ba-p/1416287). More details [here](../azure-monitor/logs/data-retention-archive.md).

-#### Log Security

-* Use [resource RBAC](https://techcommunity.microsoft.com/t5/azure-sentinel/controlling-access-to-azure-sentinel-data-resource-rbac/ba-p/1301463) or [Table Level RBAC](../azure-monitor/logs/manage-access.md) to enable multiple teams to use a single workspace.

-* Learn how to [audit workspace queries and Microsoft Sentinel use, using alerts workbooks and queries](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/auditing-microsoft-sentinel-activities/ba-p/1718328).

-* Use [private links](../azure-monitor/logs/private-link-security.md) to ensure logs never leave your private network.

-Use a [dedicated workspace cluster](../azure-monitor/logs/logs-dedicated-clusters.md) if your projected data ingestion is around or more than 500 GB per day. A dedicated cluster enables you to secure resources for your Microsoft Sentinel data, which enables better query performance for large data sets.

-### Module 6: Enrichment: TI, Watchlists, and more

-One of the important functions of a SIEM is to apply contextual information to the event steam, enabling detection, alert prioritization, and incident investigation. Contextual information includes, for example, threat intelligence, IP intelligence, host and user information, and watchlists

-Microsoft Sentinel provides comprehensive tools to import, manage, and use threat intelligence. For other types of contextual information, Microsoft Sentinel provides Watchlists, and other alternative solutions.

-#### Threat Intelligence

-Threat Intelligence is an important building block of a SIEM. Watch the Explore the Power of Threat Intelligence in Microsoft Sentinel webinar [here](https://www.youtube.com/watch?v=i29Uzg6cLKc&ab_channel=MicrosoftSecurityCommunity).

-In Microsoft Sentinel, you can integrate Threat Intelligence (TI) using the built-in connectors from TAXII servers or through the Microsoft Graph Security API. Read more on how to in the [documentation](threat-intelligence-integration.md). For more information about importing Threat Intelligence, see the data collection modules.

-Once imported, [Threat Intelligence](understand-threat-intelligence.md) is used extensively throughout Microsoft Sentinel. The following features focus on using Threat Intelligence:

-* View and manage the imported threat intelligence in **Logs** in the new Threat Intelligence area of Microsoft Sentinel.

-* Use the [built-in TI Analytics rule templates](understand-threat-intelligence.md#detect-threats-with-threat-indicator-based-analytics) to generate security alerts and incidents using your imported threat intelligence.

-* [Visualize key information about your threat intelligence](understand-threat-intelligence.md#view-and-manage-your-threat-indicators) in Microsoft Sentinel with the Threat Intelligence workbook.

-Watch the **Automate Your Microsoft Sentinel Triage Efforts with RiskIQ Threat

-Intelligence** webinar: [YouTube](https://youtu.be/8vTVKitim5c), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmkngW7psV4janJrVE?e=UkmgWk).

-Short on time? watch the [Ignite session](https://www.youtube.com/watch?v=RLt05JaOnHc) (28 Minutes)

-Go in-depth? Watch the Webinar: [YouTube](https://youtu.be/zfoVe4iarto), [MP4](https://1drv.ms/v/s!AnEPjr8tHcNmgi8zazMLahRyycPf), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmgi0pABN930p56id_).

-To import and manage any type of contextual information, Microsoft Sentinel provides Watchlists. Watchlists enable you to upload data tables in CSV format and use them in your KQL queries. Read more about Watchlists in the [documentation](watchlists.md) or watch the use _Watchlists to Manage Alerts, Reduce Alert Fatigue and improve SOC efficiency_ webinar: [YouTube](https://youtu.be/148mr8anqtI), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmk1qPwVKXkyKwqsM5?e=jLlNmP).

-* **Investigate threats and respond to incidents quickly** with the rapid import of IP addresses, file hashes, and other data from CSV files. After you import the data, use watchlist name-value pairs for joins and filters in alert rules, threat hunting, workbooks, notebooks, and general queries.

-* **Import business data as a watchlist**. For example, import user lists with privileged system access, or terminated employees. Then, use the watchlist to create allowlists and blocklists to detect or prevent those users from logging in to the network.

-* **Reduce alert fatigue**. Create allowlists to suppress alerts from a group of users, such as users from authorized IP addresses that perform tasks that would normally trigger the alert. Prevent benign events from becoming alerts.

-* **Enrich event data**. Use watchlists to enrich your event data with name-value combinations derived from external data sources.

-In addition to Watchlists, you can also use the KQL externaldata operator, custom logs, and KQL functions to manage and query context information. Each one of the four methods has its pros and cons, and you can read more about the comparison between those options in the blog post ["Implementing Lookups in Microsoft Sentinel"](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/implementing-lookups-in-azure-sentinel/ba-p/1091306). While each method is different, using the resulting information in your queries is similar enabling easy switching between them.

-Read ["Utilize Watchlists to Drive Efficiency During Microsoft Sentinel Investigations"](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/utilize-watchlists-to-drive-efficiency-during-microsoft-sentinel/ba-p/2090711) for ideas on using Watchlist outside of analytic rules.

-Watch the **Use Watchlists to Manage Alerts, Reduce Alert Fatigue and improve

-SOC efficiency** webinar. [YouTube](https://youtu.be/148mr8anqtI), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmk1qPwVKXkyKwqsM5?e=jLlNmP).

-Microsoft Sentinel supports two new features for data ingestion and transformation. These features, provided by Log Analytics, act on your data even before it's stored in your workspace.

-* The first of these features is the [**Logs ingestion API.**](../azure-monitor/logs/logs-ingestion-api-overview.md) It allows you to send custom-format logs from any data source to your Log Analytics workspace, and store those logs either in certain specific standard tables, or in custom-formatted tables that you create. The actual ingestion of these logs can be done by direct API calls. You can use Log Analytics [data collection rules (DCRs)](../azure-monitor/essentials/data-collection-rule-overview.md) to define and configure these workflows.

-* The second feature is [**workspace data transformations for standard logs**](../azure-monitor/essentials/data-collection-transformations.md#workspace-transformation-dcr). It uses [DCRs](../azure-monitor/essentials/data-collection-rule-overview.md) to filter out irrelevant data, to enrich or tag your data, or to hide sensitive or personal information. Data transformation can be configured at ingestion time for the following types of built-in data connectors:

- * AMA-based data connectors (based on the new Azure Monitor Agent)

- * MMA-based data connectors (based on the legacy Log Analytics Agent)

- * Data connectors that use Diagnostic settings

-* [Custom data ingestion and transformation in Microsoft Sentinel](configure-data-transformation.md)

-In many (if not most) cases, you already have a SIEM and need to migrate to Microsoft Sentinel. While it may be a good time to start over, and rethink your SIEM implementation, it makes sense to utilize some of the assets you already built in your current implementation. Watch the webinar describing best practices for converting detection rules from Splunk, QRadar, and ArcSight to Azure Sentinel Rules: [YouTube](https://youtu.be/njXK1h9lfR4), [MP4](https://aka.ms/AzSentinel_DetectionRules_19FEB21_MP4), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmhlsYDm99KLbNWlq5), [blog](https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-migrating-detection-rules-from-arcsight/ba-p/2216417).

-You might also be interested in some of the following resources:

-* [Splunk SPL to KQL mappings](https://github.com/Azure/Azure-Sentinel/blob/master/Tools/RuleMigration/SPL%20to%20KQL.md)

-### Module 9: Advanced SIEM Information Model (ASIM) and Normalization

-Working with various data types and tables together presents a challenge. You must become familiar with different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries. Correlation between the different data types necessary for investigation and hunting can also be tricky.

-The **Advanced SIEM Information Model (ASIM)** provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. Watch the Advanced SIEM Information Model (ASIM): Now built into Microsoft Sentinel webinar: YouTube, Deck.

-The current implementation is based on query time normalization using KQL functions:

- * Watch the _Understanding Normalization in Microsoft Sentinel_ webinar: [YouTube](https://www.youtube.com/watch?v=WoGD-JeC7ng), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmjDY1cro08Fk3KUj-?e=murYHG).

- * Watch the _Deep Dive into Microsoft Sentinel Normalizing Parsers and Normalized Content_ webinar: [YouTube](https://www.youtube.com/watch?v=zaqblyjQW6k), [MP3](https://aka.ms/AS_Normalizing_Parsers_and_Normalized_Content_11AUG2021_MP4), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmjGtoRPQ2XYe3wQDz?e=R3dWeM).

-* **Parsers** map existing data to the normalized schemas. Parsers are implemented using [KQL functions](/azure/data-explorer/kusto/query/functions/user-defined-functions). Watch the _Extend and Manage ASIM: Developing, Testing and Deploying Parsers_ webinar: [YouTube](https://youtu.be/NHLdcuJNqKw), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmk0_k0zs21rL7euHp?e=5XkTnW).

-* **Content** for each normalized schema includes analytics rules, workbooks, hunting queries. This content works on any normalized data without the need to create source-specific content.

-

-* **Cross source detection**: Normalized analytic rules work across sources, on-premises and cloud, now detecting attacks such as brute force or impossible travel across systems including Okta, AWS, and Azure.

-* **Allows source agnostic content**: the coverage of built-in and custom content using ASIM automatically expands to any source that supports ASIM, even if the source was added after the content was created. For example, process event analytics support any source that a customer may use to bring in the data, including Microsoft Defender for Endpoint, Windows Events, and Sysmon. We're ready to add [Sysmon for Linux](https://twitter.com/markrussinovich/status/1283039153920368651?lang=en) and WEF once released!

-* **Ease of use:** once an analyst learns ASIM, writing queries is much simpler as the field names are always the same.

-#### To learn more about ASIM:

-* Watch the overview webinar: [YouTube](https://www.youtube.com/watch?v=WoGD-JeC7ng), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmjDY1cro08Fk3KUj-?e=murYHG) .

-* Watch the _Deep Dive into Microsoft Sentinel Normalizing Parsers and Normalized Content_ webinar: [YouTube](https://www.youtube.com/watch?v=zaqblyjQW6k), [MP3](https://aka.ms/AS_Normalizing_Parsers_and_Normalized_Content_11AUG2021_MP4), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmjGtoRPQ2XYe3wQDz?e=R3dWeM).

-* Watch the _Turbocharging ASIM: Making Sure Normalization Helps Performance Rather Than Impacting It_ webinar: [YouTube](https://youtu.be/-dg_0NBIoak), [MP4](https://1drv.ms/v/s!AnEPjr8tHcNmjk5AfH32XSdoVzTJ?e=a6hCHb), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmjnQITNn35QafW5V2?e=GnCDkA).

-* Read the [documentation](https://aka.ms/AzSentinelNormalization).

-#### To Deploy ASIM:

-* Deploy the parsers from the folders starting with ΓÇ£ASIM*ΓÇ¥ in the [parsers](https://github.com/Azure/Azure-Sentinel/tree/master/Parsers) folder on GitHub.

-* Activate analytic rules that use ASIM. Search for ΓÇ£normalΓÇ¥ in the template gallery to find some of them. To get the full list, use this [GitHub search](https://github.com/search?q=ASIM+repo%3AAzure%2FAzure-Sentinel+path%3A%2Fdetections&type=Code&ref=advsearch&l=&l=).

-#### To Use ASIM:

-* Use the [ASIM hunting queries from GitHub](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries)

-* Use ASIM queries when using KQL in the log screen.

-* Write your own analytic rules using ASIM or [convert existing ones](normalization.md).

-* Write [parsers](normalization.md#asim-components) for your custom sources to make them ASIM compatible and take part in built-in analytics

-## Part 3: Creating Content

-What is Microsoft Sentinel's content?

-Microsoft Sentinel's security value is a combination of its built-in capabilities and your capability to create custom ones and customize the built-in ones. Among built-in capabilities, there are UEBA, Machine Learning or out-of-the-box analytics rules. Customized capabilities are often referred to as "content" and include analytic rules, hunting queries, workbooks, playbooks, etc.

-In this section, we grouped the modules that help you learn how to create such content or modify built-in-content to your needs. We start with KQL, the Lingua Franca of Azure Sentinel. The following modules discuss one of the content building blocks such as rules, playbooks, and workbooks. We wrap up by discussing use cases, which encompass elements of different types to address specific security goals such as threat detection, hunting, or governance.

-### Module 10: The Kusto Query Language (KQL)

-Most Microsoft Sentinel capabilities use [KQL or Kusto Query Language](/azure/data-explorer/kusto/query/). When you search in your logs, write rules, create hunting queries, or design workbooks, you use KQL.

-#### Below is the recommended journey for learning Sentinel KQL:

-* [Pluralsight KQL course](https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch) - the basics

-* [Must Learn KQL](https://aka.ms/MustLearnKQL) - A 20-part KQL series that walks through the basics to creating your first Analytics Rule. Includes an assessment and certificate.

-* The Microsoft Sentinel KQL Lab: An interactive lab teaching KQL focusing on what you need for Microsoft Sentinel:

- * [Presentation](https://onedrive.live.com/?authkey=%21AJRxX475AhXGQBE&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21740&parId=66C31D2DBF8E0F71%21446&o=OneUp), [Lab URL](https://aka.ms/lademo)

- * a [Jupyter Notebooks version](https://github.com/jjsantanna/azure_sentinel_learn_kql_lab/blob/master/azure_sentinel_learn_kql_lab.ipynb), which let you test the queries within the notebook.

- * Learning webinar: [YouTube](https://youtu.be/EDCBLULjtCM), [MP4](https://1drv.ms/v/s!AnEPjr8tHcNmglwAjUjmYy2Qn5J-);

- * Reviewing lab solutions webinar: [YouTube](https://youtu.be/YKD_OFLMpf8), [MP4](https://1drv.ms/v/s!AnEPjr8tHcNmg0EKIi5gwXyccB44?e=sF6UG5)

-* [Pluralsight Advanced KQL course](https://www.pluralsight.com/courses/microsoft-azure-data-explorer-advanced-query-capabilities)

-* _Optimizing Azure Sentinel KQL queries performance_: [YouTube](https://youtu.be/jN1Cz0JcLYU), [MP4](https://aka.ms/AzS_09SEP20_MP4), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmg2imjIS8NABc26b-?e=rXZrR5).

-* Using ASIM in your KQL queries: [YouTube](https://www.youtube.com/watch?v=WoGD-JeC7ng), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmjDY1cro08Fk3KUj-?e=murYHG)

-* _KQL Framework for Microsoft Sentinel - Empowering You to Become KQL-Savvy:_ [YouTube](https://youtu.be/j7BQvJ-Qx_k), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmkgqKSV-m1QWgkzKT?e=QAilwu).

-You might also find the following references useful as you learn KQL:

-#### Writing Scheduled Analytics Rules

-Microsoft Sentinel enables you to use [built-in rule templates](detect-threats-built-in.md), customize the templates for your environment, or create custom rules. The core of the rules is a KQL query; however, there's much more than that to configure in a rule.

-To learn the procedure for creating rules, read the [documentation](detect-threats-custom.md). To learn how to write rules, that is, what should go into a rule, focusing on KQL for rules, watch the webinar: [MP4](https://1drv.ms/v/s%21AnEPjr8tHcNmghlWrlBCPKwT5WTT), [YouTube](https://youtu.be/pJjljBT4ipQ), [Presentation](https://1drv.ms/b/s!AnEPjr8tHcNmgmffNHf0wqmNEqdx).

-* **Correlation rules**: [using lists and the "in" operator](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-correlation-rules-active-lists-out-make-list-in/ba-p/1029225) or using the ["join" operator](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-correlation-rules-the-join-kql-operator/ba-p/1041500)

-* **Aggregation**: see using lists and the "in" operator above, or a more [advanced pattern handling sliding windows](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/handling-sliding-windows-in-azure-sentinel-rules/ba-p/1505394)

-* **Lookups**: Regular, or Approximate, partial & combined lookups

-* **Delayed events:** are a fact of life in any SIEM and are hard to tackle. Microsoft Sentinel can help you mitigate delays in your rules.

-* Using KQL functions as **building blocks**: Enriching Windows Security Events with Parameterized Function.

-To blog post ["Blob and File Storage Investigations"](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-ignite-2021-blob-and-file-storage-investigations/ba-p/2175138) provides a step by step example of writing a useful analytic rule.

-#### Using Built-in Analytics

-Before embarking on your own rule writing, you should take advantage of the built-in analytics capabilities. They don't require much from you, but it's worthwhile learning about them:

-* Use the [built-in scheduled rule templates](detect-threats-built-in.md). You can tune those templates by modifying the templates the same way to edit any scheduled rule. Make sure to deploy the templates for the data connectors you connect listed in the data connector "next steps" tab.

-* Learn more about Microsoft Sentinel's [Machine learning capabilities](bring-your-own-ml.md): [MP4](https://onedrive.live.com/?authkey=%21ANHkqv1CC1rX0JE&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21772&parId=66C31D2DBF8E0F71%21770&o=OneUp), [YouTube](https://www.youtube.com/watch?v=DxZXHvq1jOs&ab_channel=MicrosoftSecurityCommunity), [Presentation](https://onedrive.live.com/?authkey=%21ACovlR%2DY24o1rzU&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21773&parId=66C31D2DBF8E0F71%21770&o=OneUp)

-* Find the list of Microsoft Sentinel's [Advanced multi-stage attack detections ("Fusion") ](fusion.md) that are enabled by default.

-* Watch the Fusion ML Detections with Scheduled Analytics Rules webinar: [YouTube](https://www.youtube.com/watch?v=Ee7gBAQ2Dzc), [MP4](https://onedrive.live.com/?authkey=%21AJzpplg3agpLKdo&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%211663&parId=66C31D2DBF8E0F71%211654&o=OneUp), [Presentation](https://onedrive.live.com/?cid=66c31d2dbf8e0f71&id=66C31D2DBF8E0F71%211674&ithint=file%2Cpdf&authkey=%21AD%5F1AN14N3W592M).

-* Learn more about Azure Sentinel's built-in SOC-ML anomalies [here](soc-ml-anomalies.md).

-* Watch the customized SOC-ML anomalies and how to use them webinar here: [YouTube](https://www.youtube.com/watch?v=z-suDfFgSsk&ab_channel=MicrosoftSecurityCommunity), [MP4](https://onedrive.live.com/?authkey=%21AJVEGsR4ym8hVKk&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%211742&parId=66C31D2DBF8E0F71%211720&o=OneUp), [Presentation](https://onedrive.live.com/?authkey=%21AFqylaqbAGZAIfA&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%211729&parId=66C31D2DBF8E0F71%211720&o=OneUp).

-* Watch the Fusion ML Detections for Emerging Threats & Configuration UI webinar here: [YouTube](https://www.youtube.com/watch?v=bTDp41yMGdk), [Presentation](https://onedrive.live.com/?cid=66c31d2dbf8e0f71&id=66C31D2DBF8E0F71%212287&ithint=file%2Cpdf&authkey=%21AIJICOTqjY7bszE).

-In modern SIEMs such as Microsoft Sentinel, SOAR (Security Orchestration, Automation, and Response) comprises the entire process from the moment an incident is triggered and until it's resolved. This process starts with an [incident investigation](investigate-cases.md) and continues with an [automated response](tutorial-respond-threats-playbook.md). The blog post ["How to use Microsoft Sentinel for Incident Response, Orchestration and Automation"](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-use-azure-sentinel-for-incident-response-orchestration/ba-p/2242397) provides an overview of common use cases for SOAR.

-[Automation rules](automate-incident-handling-with-automation-rules.md) are the starting point for Microsoft Sentinel automation. They provide a lightweight method for central automated handling of incidents, including suppression,[ false-positive handling](false-positives.md), and automatic assignment.

-To provide robust workflow based automation capabilities, automation rules use [Logic App playbooks](automate-responses-with-playbooks.md):

-* Watch the Unleash the automation Jedi tricks & build Logic Apps Playbooks like a Boss Webinar: [YouTube](https://www.youtube.com/watch?v=G6TIzJK8XBA&ab_channel=MicrosoftSecurityCommunity), [MP4](https://onedrive.live.com/?authkey=%21AMHoD01Fnv0Nkeg&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21513&parId=66C31D2DBF8E0F71%21511&o=OneUp), [Presentation](https://onedrive.live.com/?authkey=%21AJK2W6MaFrzSzpw&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21514&parId=66C31D2DBF8E0F71%21511&o=OneUp).

-* Read about [Logic Apps](../logic-apps/logic-apps-overview.md), which is the core technology driving Microsoft Sentinel playbooks.

-*[ The Microsoft Sentinel Logic App connector](/connectors/azuresentinel/) is a link between Logic Apps and Azure Sentinel.

-You can find dozens of useful Playbooks in the [Playbooks folder](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks) on the [Microsoft Sentinel GitHub](https://github.com/Azure/Azure-Sentinel), or read [_A playbook using a watchlist to Inform a subscription owner about an alert_](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/playbooks-amp-watchlists-part-1-inform-the-subscription-owner/ba-p/1768917) for a Playbook walkthrough.

-As the nerve center of your SOC, you need Microsoft Sentinel to visualize the information it collects and produces. Use workbooks to visualize data in Microsoft Sentinel.

-* To learn how to create workbooks, read the [documentation](../azure-monitor/visualize/workbooks-overview.md) or watch Billy York's [Workbooks training](https://www.youtube.com/watch?v=iGiPpD_-10M&ab_channel=FestiveTechCalendar) (and [accompanying text](https://www.cloudsma.com/2019/12/azure-advent-calendar-azure-monitor-workbooks/).

-* The mentioned resources aren't Microsoft Sentinel specific, and apply to Microsoft Workbooks in general. To learn more about Workbooks in Microsoft Sentinel, watch the Webinar: [YouTube](https://www.youtube.com/watch?v=7eYNaYSsk1A&list=PLmAptfqzxVEUD7-w180kVApknWHJCXf0j&ab_channel=MicrosoftSecurityCommunity), [MP4](https://onedrive.live.com/?authkey=%21ALoa5KFEhBq2DyQ&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21373&parId=66C31D2DBF8E0F71%21372&o=OneUp), [Presentation](https://onedrive.live.com/view.aspx?resid=66C31D2DBF8E0F71!374&ithint=file%2cpptx&authkey=!AD5hvwtCTeHvQLQ), and read the [documentation](monitor-your-data.md).

-Workbooks can be interactive and enable much more than just charting. With Workbooks, you can create apps or extension modules for Microsoft Sentinel to complement built-in functionality. We also use workbooks to extend the features of Microsoft Sentinel. Few examples of such apps you can both use and learn from are:

-* The [Investigation Insights Workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-investigation-insights-workbook/ba-p/1816903) provides an alternative approach for investigating incidents.

-* [Graph Visualization of External Teams Collaborations](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/graph-visualization-of-external-teams-collaborations-in-azure/ba-p/1356847) enables hunting for risky Teams use.

-* The [users' travel map workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/how-to-use-azure-sentinel-to-follow-a-users-travel-and-map-their/ba-p/981716) allows investigating geo-location alerts.

-* The insecure protocols workbook ([Implementation Guide](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-insecure-protocols-workbook-implementation-guide/ba-p/1197564), [recent enhancements](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-insecure-protocols-workbook-reimagined/ba-p/1558375), and [overview video](https://www.youtube.com/watch?v=xzHDWbBX6h8&list=PLmAptfqzxVEWkrUwV-B1Ob3qW-QPW_Ydu&index=9&ab_channel=MicrosoftSecurityCommunity)) lets you identify the use of insecure protocols in your network.

-* Lastly, learn how to [integrate information from any source using API calls in a workbook](https://techcommunity.microsoft.com/t5/azure-sentinel/using-the-sentinel-api-to-view-data-in-a-workbook/ba-p/1386436).

-You can find dozens of workbooks in the [Workbooks folder](https://github.com/Azure/Azure-Sentinel/tree/master/Workbooks) in the [Microsoft Sentinel GitHub](https://github.com/Azure/Azure-Sentinel). Some of them are available in the Microsoft Sentinel workbooks gallery as well.

-Workbooks can serve for reporting. For more advanced reporting capabilities such as reports scheduling and distribution or pivot tables, you might want to use:

-* Power BI, which natively [integrates with Log Analytics and Sentinel](../azure-monitor/logs/log-powerbi.md).

-* Excel, which can use [Log Analytics and Sentinel as the data source](../azure-monitor/logs/log-excel.md) (and see [video](https://www.youtube.com/watch?v=Rx7rJhjzTZA) on how).

-* Jupyter notebooks covered later in the hunting module are also a great visualization tool.

-Jupyter notebooks are fully integrated with Microsoft Sentinel. While considered an important tool in the hunter's tool chest and discussed the webinars in the hunting section below, their value is much broader. Notebooks can serve for advanced visualization, an investigation guide, and for sophisticated automation.

-To understand them better, watch the [Introduction to notebooks video](https://www.youtube.com/watch?v=TgRRJeoyAYw&ab_channel=MicrosoftSecurityCommunity). Get started using the Notebooks webinar ([YouTube](https://www.youtube.com/watch?v=rewdNeX6H94&ab_channel=MicrosoftSecurityCommunity), [MP4](https://onedrive.live.com/?authkey=%21ALXve0rEAhZOuP4&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21778&parId=66C31D2DBF8E0F71%21776&o=OneUp), [Presentation](https://onedrive.live.com/?authkey=%21AEQpzVDAwzzen30&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21779&parId=66C31D2DBF8E0F71%21776&o=OneUp)) or read the [documentation](notebooks.md). The [Microsoft Sentinel Notebooks Ninja series](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/becoming-a-microsoft-sentinel-notebooks-ninja-the-series/ba-p/2693491) is an ongoing training series to upskill you in Notebooks.

-An important part of the integration is implemented by [MSTICPY](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/msticpy-python-defender-tools/ba-p/648929), which is a Python library developed by our research team to be used with Jupyter notebooks. It adds Microsoft Sentinel interfaces and sophisticated security capabilities to your notebooks.

-Connectors, rules, playbooks, and workbooks enable you to implement **use cases**: the SIEM term for a content pack intended to detect and respond to a threat. You can deploy Sentinel built-in use cases by activating the suggested rules when connecting each Connector. A **solution** is a **group of use cases** addressing a specific threat domain.

-The Webinar **"Tackling Identity"**([YouTube](https://www.youtube.com/watch?v=BcxiY32famg&ab_channel=MicrosoftSecurityCommunity), [MP4](https://onedrive.live.com/?authkey=%21AFsVrhZwut8EnB4&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21284&parId=66C31D2DBF8E0F71%21282&o=OneUp), [Presentation](https://onedrive.live.com/?authkey=%21ACSAvdeLB7JfAX8&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21283&parId=66C31D2DBF8E0F71%21282&o=OneUp)) explains what a use case is, how to approach its design, and presents several use cases that collectively address identity threats.

-Another relevant solution area is **protecting remote work**. Watch our [Ignite session on protection remote work](https://www.youtube.com/watch?v=09JfbjQdzpg&ab_channel=MicrosoftSecurity), and read more on the specific use cases:

-* [Microsoft Teams hunting use cases](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/protecting-your-teams-with-azure-sentinel/ba-p/1265761) and [Graph Visualization of External Microsoft Teams Collaborations](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/graph-visualization-of-external-teams-collaborations-in-azure/ba-p/1356847)

-* [Monitoring Azure Virtual Desktop with Microsoft Sentinel](../virtual-desktop/diagnostics-log-analytics.md): use Windows Security Events, Azure AD Sign-in logs, Microsoft 365 Defender for Endpoints, and AVD diagnostics logs to detect and hunt for AVD threats.

-*[ Monitor Microsoft endpoint Manager / Intune](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/secure-working-from-home-deep-insights-at-enrolled-mem-assets/ba-p/1424255), using queries and workbooks.

-And lastly, focusing on recent attacks, learn how to [monitor the software supply chain with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463).

-**Microsoft Sentinel solutions** provide in-product discoverability, single-step deployment, and enablement of end-to-end product, domain, and/or vertical scenarios in Microsoft Sentinel. Read more about them [here](sentinel-solutions.md), and watch the **webinar about how to create your own [here](https://www.youtube.com/watch?v=oYTgaTh_NOU&ab_channel=MicrosoftSecurityCommunity).** For more about Sentinel content management in general, watch the Microsoft Sentinel Content Management webinar - [YouTube](https://www.youtube.com/watch?v=oYTgaTh_NOU&ab_channel=MicrosoftSecurityCommunity), [Presentation](https://onedrive.live.com/?cid=66c31d2dbf8e0f71&id=66C31D2DBF8E0F71%212201&ithint=file%2Cpdf&authkey=%21AIdsDXF3iluXd94).

-After building your SOC, you need to start using it. The "day in a SOC analyst life" webinar ([YouTube](https://www.youtube.com/watch?v=HloK6Ay4h1M&ab_channel=MicrosoftSecurityCommunity), [MP4](https://onedrive.live.com/?authkey=%21ACD%5F1nY2ND8MOmg&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21273&parId=66C31D2DBF8E0F71%21271&o=OneUp), [Presentation](https://onedrive.live.com/?authkey=%21AAvOR9OSD51OZ8c&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21272&parId=66C31D2DBF8E0F71%21271&o=OneUp)) walks you through using Microsoft Sentinel in the SOC to **triage**, **investigate** and **respond** to incidents.

-[Integrating with Microsoft Teams directly from Microsoft Sentinel](collaborate-in-microsoft-teams.md) enables your teams to collaborate seamlessly across the organization, and with external stakeholders. Watch the _Decrease Your SOCΓÇÖs MTTR (Mean Time to Respond) by Integrating Microsoft Sentinel with Microsoft Teams_ webinar [here](https://www.youtube.com/watch?v=0REgc2jB560&ab_channel=MicrosoftSecurityCommunity).

-You might also want to read the [documentation article on incident investigation](investigate-cases.md). As part of the investigation, you'll also use the [entity pages](identify-threats-with-entity-behavior-analytics.md#entity-pages) to get more information about entities related to your incident or identified as part of your investigation.

-**Incident investigation** in Microsoft Sentinel extends beyond the core incident investigation functionality. We can build **additional investigation tools** using Workbooks and Notebooks (the latter are discussed later, under _Hunting_). You can also build more investigation tools or modify existing one to your specific needs. Examples include:

-* The [Investigation Insights Workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-the-investigation-insights-workbook/ba-p/1816903) provides an alternative approach for investigating incidents.

-* Notebooks enhance the investigation experience. Read [_Why Use Jupyter for Security Investigations?_](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/why-use-jupyter-for-security-investigations/ba-p/475729) and learn how to investigate with Microsoft Sentinel & Jupyter Notebooks: [part 1](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/security-investigation-with-azure-sentinel-and-jupyter-notebooks/ba-p/432921), [part 2](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/security-investigation-with-azure-sentinel-and-jupyter-notebooks/ba-p/483466), and [part 3](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/security-investigation-with-azure-sentinel-and-jupyter-notebooks/ba-p/561413).

-While most of the discussion so far focused on detection and incident management, **hunting** is another important use case for Microsoft Sentinel. Hunting is a **proactive search for threats** rather than a reactive response to alerts.

-The hunting dashboard is constantly updated. It shows all the queries that were written by Microsoft's team of security analysts and any extra queries that you've created or modified. Each query provides a description of what it hunts for, and what kind of data it runs on. These templates are grouped by their various tactics - the icons on the right categorize the type of threat, such as initial access, persistence, and exfiltration. Read more about it [here](hunting.md).

-To understand more about what hunting is and how Microsoft Sentinel supports it, watch the **Hunting Intro Webinar** ([YouTube](https://www.youtube.com/watch?v=6ueR09PLoLU&t=1451s&ab_channel=MicrosoftSecurityCommunity), [MP4](https://onedrive.live.com/?authkey=%21AO3gGrb474Bjmls&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21468&parId=66C31D2DBF8E0F71%21466&o=OneUp), [Presentation](https://onedrive.live.com/?authkey=%21AJ09hohPMbtbVKk&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21469&parId=66C31D2DBF8E0F71%21466&o=OneUp)). The webinar starts with an update on new features. To learn about hunting, start at slide 12. The YouTube link is already set to start there.

-While the intro webinar focuses on tools, hunting is all about security. Our **security research team webinar on hunting** ([MP4](https://onedrive.live.com/?authkey=%21ADC2GvI1Yjlh%2D6E&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21276&parId=66C31D2DBF8E0F71%21274&o=OneUp), [YouTube](https://www.youtube.com/watch?v=BTEV_b6-vtg&ab_channel=MicrosoftSecurityCommunity), [Presentation](https://onedrive.live.com/?authkey=%21AF1uqmmrWbI3Mb8&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21275&parId=66C31D2DBF8E0F71%21274&o=OneUp)) focuses on how to actually hunt. The follow-up **AWS Threat Hunting using Sentinel Webinar** ([MP4](https://onedrive.live.com/?authkey=%21ADu7r7XMTmKyiMk&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21336&parId=66C31D2DBF8E0F71%21333&o=OneUp), [YouTube](https://www.youtube.com/watch?v=bSH-JOKl2Kk&ab_channel=MicrosoftSecurityCommunity), [Presentation](https://onedrive.live.com/?authkey=%21AA7UKQIj2wu1FiI&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21334&parId=66C31D2DBF8E0F71%21333&o=OneUp)) really drives the point by showing an end-to-end hunting scenario on a high-value target environment. Lastly, you can learn how to do [SolarWinds Post-Compromise Hunting with Microsoft Sentinel](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095) and [WebShell hunting](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968) motivated by the latest recent vulnerabilities in on-premises Microsoft Exchange servers.

-Microsoft Sentinel newly introduced [User and Entity Behavior Analytics (UEBA)](identify-threats-with-entity-behavior-analytics.md) module enables you to identify and investigate threats inside your organization and their potential impact - whether a compromised entity or a malicious insider.

-As Microsoft Sentinel collects logs and alerts from all of its connected data sources, it analyzes them and builds baseline behavioral profiles of your organizationΓÇÖs entities (such as **users**, **hosts**, **IP addresses**, and **applications**) across time and peer group horizon. With various techniques and machine learning capabilities, Microsoft Sentinel can then identify anomalous activity and help you determine if an asset has been compromised. Not only that, but it can also figure out the relative sensitivity of particular assets, identify peer groups of assets, and evaluate the potential impact of any given compromised asset (its ΓÇ£blast radiusΓÇ¥). Armed with this information, you can effectively prioritize your investigation and incident handling.

-Learn more about UEBA in the _UEBA Webinar_ ([YouTube](https://www.youtube.com/watch?v=ixBotw9Qidg&ab_channel=MicrosoftSecurityCommunity), [Presentation](https://onedrive.live.com/?authkey=%21ADXz0j2AO7Kgfv8&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21515&parId=66C31D2DBF8E0F71%21508&o=OneUp), [MP4](https://onedrive.live.com/?authkey=%21AO0122hqWUkZTJI&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%211909&parId=66C31D2DBF8E0F71%21508&o=OneUp)) and read about using [UEBA for investigations in your SOC](https://techcommunity.microsoft.com/t5/azure-sentinel/guided-ueba-investigation-scenarios-to-empower-your-soc/ba-p/1857100).

-For watching the latest updates, see [Future of Users Entity Behavioral Analytics in Sentinel webinar](https://www.youtube.com/watch?v=dLVAkSLKLyQ&ab_channel=MicrosoftSecurityCommunity).

-Part of operating a SIEM is making sure it works smoothly and an evolving area in Azure Sentinel. Use the following to monitor Microsoft Sentinel's health:

-* Measure the efficiency of your [Security operations](manage-soc-with-incident-metrics.md#security-operations-efficiency-workbook) ([video](https://www.youtube.com/watch?v=jRucUysVpxI&ab_channel=MicrosoftSecurityCommunity))

-* **SentinelHealth data table**. Provides insights on health drifts, such as latest failure events per connector, or connectors with changes from success to failure states, which you can use to create alerts and other automated actions. Find more information [here](/azure/sentinel/monitor-data-connector-health).

-* Monitor [Data connectors health](monitor-data-connector-health.md) ([video](https://www.youtube.com/watch?v=T6Vyo7gZYds&ab_channel=MicrosoftSecurityCommunity)) and [get notifications on anomalies](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/data-connector-health-push-notification-alerts/ba-p/1996442).

-* Monitor agents using the [agents' health solution (Windows only)](../azure-monitor/insights/solution-agenthealth.md) and the [Heartbeat table](/azure/azure-monitor/reference/tables/heartbeat)(Linux and Windows).

-* Monitor your Log Analytics workspace: [YouTube](https://www.youtube.com/watch?v=DmDU9QP_JlI&ab_channel=MicrosoftSecurityCommunity), [MP4](https://onedrive.live.com/?cid=66c31d2dbf8e0f71&id=66C31D2DBF8E0F71%21792&ithint=video%2Cmp4&authkey=%21ALgHojpWDidvFyo), [Presentation](https://onedrive.live.com/?cid=66c31d2dbf8e0f71&id=66C31D2DBF8E0F71%21794&ithint=file%2Cpdf&authkey=%21AAva%2Do6Ru1fjJ78), including query execution and ingest health.

-* Cost management is also an important operational procedure in the SOC. Use the [Ingestion Cost Alert Playbook](https://techcommunity.microsoft.com/t5/azure-sentinel/ingestion-cost-alert-playbook/ba-p/2006003) to ensure you're aware in time of any cost increase.

-### Module 20: Extending and Integrating using Microsoft Sentinel APIs

-As a cloud-native SIEM, Microsoft Sentinel is an API first system. Every feature can be configured and used through an API, enabling easy integration with other systems and extending Sentinel with your own code. If API sounds intimidating to you, don't worry; whatever is available using the API is [also available using PowerShell](https://techcommunity.microsoft.com/t5/azure-sentinel/new-year-new-official-azure-sentinel-powershell-module/ba-p/2025041).

-To learn more about Microsoft Sentinel APIs, watch the [short introductory video](https://www.youtube.com/watch?v=gQDBkc-K-Y4&ab_channel=MicrosoftSecurityCommunity) and read the [blog post](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-api-101/ba-p/1438928). To get the details, watch the deep dive Webinar ([MP4](https://onedrive.live.com/?authkey=%21ACZmq6oAe1yVDmY&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21307&parId=66C31D2DBF8E0F71%21305&o=OneUp), [YouTube](https://www.youtube.com/watch?v=Cu4dc88GH1k&ab_channel=MicrosoftSecurityCommunity), [Presentation](https://onedrive.live.com/?authkey=%21AF3TWPEJKZvJ23Q&cid=66C31D2DBF8E0F71&id=66C31D2DBF8E0F71%21308&parId=66C31D2DBF8E0F71%21305&o=OneUp)) and read the blog post [_Extending Microsoft Sentinel: APIs, Integration, and management automation_](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/extending-azure-sentinel-apis-integration-and-management/ba-p/1116885).

-### Module 21: Bring your own ML

-Microsoft Sentinel provides a great platform for implementing your own Machine Learning algorithms. We call it Bring-Your-Own-ML(BYOML for short). BYOML is intended for advanced users. If you're looking for built-in behavioral analytics, use our ML Analytics rules, UEBA module, or write your own behavioral analytics KQL-based analytics rules.

-To start with bringing your own ML to Microsoft Sentinel, watch the [video](https://www.youtube.com/watch?v=QDIuvZbmUmc), and read the [blog post](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/build-your-own-machine-learning-detections-in-the-ai-immersed/ba-p/1750920). You might also want to refer to the [BYOML documentation](bring-your-own-ml.md).

- `Connect-AzAccount`

- `Get-AzSubscription ΓÇôSubscriptionName <your subscription name> | Select-AzSubscription`

- $Vault = Get-AzRecoveryServicesVault -Name <name of your vault>

- Set-AzRecoveryServicesVaultContext -Vault $Vault

- `$Fabric = Get-AzRecoveryServicesAsrFabric -FriendlyName <name of your configuration server>`

- `Remove-AzRecoveryServicesAsrFabric -Fabric $Fabric [-Force]`